docker
对于一个简单的命令来说,情况是:
docker run -d -p 3128:3128 my_squid_container
它在我的家里运行良好。然而,当在 Azure Ubuntu 服务器中使用相同的 Docker 容器时,我得到:
$ curl --proxy http://localhost:3128 http://google.com
curl: (56) Recv failure: Connection reset by peer
经过一番努力的故障排除后,结果发现 Docker 默认网络(Azure Ubuntu 服务器)被某种防火墙阻止了,但我无法找出/确认真正的来源。
有人怀疑联邦水务局,但我看到:
此外,我的 UFW 状态处于非活动状态:
$ sudo ufw status
Status: inactive
那么 UFW 是否真的阻止了我的 Docker 网络连接?
为了自己回答这个问题,我查了一下我如何知道我的防火墙是否打开了?,以下是可能有帮助的相关信息:
$ sudo ufw status
Status: inactive
$ sudo iptables -v -x -n -L
Chain INPUT (policy ACCEPT 186 packets, 67614 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
83321 462267984 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
83321 462267984 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 244 packets, 55542 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:3128
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
83729 466271977 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
44567 231463994 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
245275 2311152470 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
# NAT setting
$ sudo iptables -t nat -v -x -n -L
Chain PREROUTING (policy ACCEPT 60056 packets, 2443714 bytes)
pkts bytes target prot opt in out source destination
80820 3320327 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 60053 packets, 2443525 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 217217 packets, 13050882 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 217217 packets, 13050882 bytes)
pkts bytes target prot opt in out source destination
3 189 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:3128
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 to:172.17.0.2:3128
我确实已经fail2ban
安装并运行了 BTW,但我怀疑它是否阻碍了我的内部端口使用。
总而言之,谁阻止了我的 docker 默认网络?谢谢。
更新2:
docker 默认网络最初被阻止,但突然无缘无故地工作了,如下所述,但现在 docker 网络又被阻止了。幸好我列出了 的输出iptable
,包括 NAT 设置,这样我就可以比较一下当时和现在。事实证明,对于上述两个iptable
命令,它们的规则仍然相同——输出仅在数据包和字节数上有所不同。
iptables -v -x -n -L
:https://paste.pics/7918fba5e040d63cfb0fc28d9f233835iptables -t nat -v -x -n -L
:https://paste.pics/ada83fb1ae4e933b2511a827094ce788
所以UFW
应该排除原因。如果确认,我会删除它的标签。
更新:(它突然无缘无故地在很短的时间内起作用了)
我不知道发生了什么,但我正要提供更多信息,这就是我得到的,一字不差,不多也不少:
$ curl --proxy http://localhost:3128 https://google.com
curl: (56) Proxy CONNECT aborted
$ curl -v --proxy http://localhost:3128 http://google.com
* Rebuilt URL to: http://google.com/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3128 (#0)
> GET http://google.com/ HTTP/1.1
> Host: google.com
> User-Agent: curl/7.58.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Date: Sat, 10 Aug 2019 18:06:51 GMT
< Expires: Mon, 09 Sep 2019 18:06:51 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 219
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< X-Cache: MISS from 5c83ae696b4c
< X-Cache-Lookup: MISS from 5c83ae696b4c:3128
< Via: 1.1 5c83ae696b4c (squid/4.8)
< Connection: keep-alive
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host localhost left intact
$ curl --proxy http://localhost:3128 https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
老实说,我不知道发生了什么,你可以看到它以前不起作用,甚至是今天,它突然在我眼前起作用了。
因此,让我回顾一下我在 OP 中发布的内容(尽管没有进一步的细节),以及之前发生的事情:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:3128
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
$ curl -v --proxy http://localhost:3128 http://google.com
* Rebuilt URL to: http://google.com/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3128 (#0)
> GET http://google.com/ HTTP/1.1
> Host: google.com
> User-Agent: curl/7.58.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer