谁阻止了我的 Docker 默认网络?

tag-icon tag-icon networking firewall docker cloud azure
谁阻止了我的 Docker 默认网络?

docker对于一个简单的命令来说,情况是:

docker run -d -p 3128:3128 my_squid_container

它在我的家里运行良好。然而,当在 Azure Ubuntu 服务器中使用相同的 Docker 容器时,我得到:

$ curl --proxy http://localhost:3128 http://google.com
curl: (56) Recv failure: Connection reset by peer

经过一番努力的故障排除后,结果发现 Docker 默认网络(Azure Ubuntu 服务器)被某种防火墙阻止了,但我无法找出/确认真正的来源。

有人怀疑联邦水务局,但我看到:

此外,我的 UFW 状态处于非活动状态:

$ sudo ufw status
Status: inactive

那么 UFW 是否真的阻止了我的 Docker 网络连接?

为了自己回答这个问题,我查了一下我如何知道我的防火墙是否打开了?,以下是可能有帮助的相关信息:

$ sudo ufw status
Status: inactive

$ sudo iptables -v -x -n -L
Chain INPUT (policy ACCEPT 186 packets, 67614 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
   83321 462267984 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   83321 462267984 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 244 packets, 55542 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:3128

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
   83729 466271977 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
   44567 231463994 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
    pkts      bytes target     prot opt in     out     source               destination
  245275 2311152470 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0


# NAT setting

$ sudo iptables -t nat -v -x -n -L
Chain PREROUTING (policy ACCEPT 60056 packets, 2443714 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
   80820  3320327 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 60053 packets, 2443525 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 217217 packets, 13050882 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 217217 packets, 13050882 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       3      189 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
       0        0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:3128

Chain DOCKER (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
       0        0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3128 to:172.17.0.2:3128

我确实已经fail2ban安装并运行了 BTW,但我怀疑它是否阻碍了我的内部端口使用。

总而言之,谁阻止了我的 docker 默认网络?谢谢。

更新2:

docker 默认网络最初被阻止,但突然无缘无故地工作了,如下所述,但现在 docker 网络又被阻止了。幸好我列出了 的输出iptable,包括 NAT 设置,这样我就可以比较一下当时和现在。事实证明,对于上述两个iptable命令,它们的规则仍然相同——输出仅在数据包和字节数上有所不同。

所以UFW应该排除原因。如果确认,我会删除它的标签。

更新:(它突然无缘无故地在很短的时间内起作用了)

我不知道发生了什么,但我正要提供更多信息,这就是我得到的,一字不差,不多也不少:

$ curl --proxy http://localhost:3128 https://google.com
curl: (56) Proxy CONNECT aborted

$ curl -v --proxy http://localhost:3128 http://google.com
* Rebuilt URL to: http://google.com/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3128 (#0)
> GET http://google.com/ HTTP/1.1
> Host: google.com
> User-Agent: curl/7.58.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Date: Sat, 10 Aug 2019 18:06:51 GMT
< Expires: Mon, 09 Sep 2019 18:06:51 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 219
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< X-Cache: MISS from 5c83ae696b4c
< X-Cache-Lookup: MISS from 5c83ae696b4c:3128
< Via: 1.1 5c83ae696b4c (squid/4.8)
< Connection: keep-alive
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host localhost left intact

$ curl --proxy http://localhost:3128 https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

老实说,我不知道发生了什么,你可以看到它以前不起作用,甚至是今天,它突然在我眼前起作用了。

因此,让我回顾一下我在 OP 中发布的内容(尽管没有进一步的细节),以及之前发生的事情:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:3128

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

$ curl -v --proxy http://localhost:3128 http://google.com
* Rebuilt URL to: http://google.com/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3128 (#0)
> GET http://google.com/ HTTP/1.1
> Host: google.com
> User-Agent: curl/7.58.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

相关内容