在 Docker 容器内转发接口

tag-icon tag-icon networking server iptables docker
在 Docker 容器内转发接口

我已经创建了一个docker容器,执行以下命令

docker run -it --net=none --cap-add=NET_ADMIN --name firewall ubuntu /bin/bash

在我连接了两个接口eth0和之后eth1。我需要将流量从 eth1 转发到 eth0。我已经安装iptables并应用了以下简单规则:

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

我已经通过使用 tcpdump 监听接口 eth1 来检查流量是否到达接口 eth1。不幸的是,我不知道流量未转发到 eth0 的原因。有什么想法吗?系统上的所有标志都已正确设置为 1

答案1

以下是我猜测您需要/想要的内容的示例 iptables 规则集脚本。我猜测了一些地址,您必须根据实际需要进行编辑。

#!/bin/sh
FWVER=0.01
#
# Mazzy Example 2015.02.20 Ver:0.01
#     Only port 80.

echo "Loading Mazzy Example iptables rules set. version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
EXTIF="eth0"
INTIF="eth1"
# For example: Please replace with real IP address
EXTIP="192.168.33.134"
INTNET="10.0.2.0/24"
INTIP="10.0.2.25"
# For example: Please replace with real desintation IP address
INT80="10.0.2.43"
UNIVERSE="0.0.0.0/0"

echo "   External Interface: $EXTIF   Internal Interface: $INTIF   External IP: $EXTIP  Internal Network: $INTNET   Internal IP: $INTIP"

# Only needed if not already done elesewhere
#CRITICAL:  Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

#Clearing any previous configuration
#
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# At this point local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# Allow any related traffic coming back to the server in.
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# server source going to the local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

echo Loading FORWARD rulesets...
echo "FWD: Allow all connections OUT and only existing/related IN..."
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# port forward stuff. see also the prerouting area.
#
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -d $INT80 -m state --state NEW -j LOG --log-prefix "PFNEW80:" --log-level info
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -d $INT80 -m state --state NEW -j ACCEPT
#
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# some port forward stuff. (normally commented out) see also FORWARD area.
#
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT --to $INT80:80

echo "NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF..."
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo Mazzy Example iptables rules set. $FWVER done.

相关内容