我正在运行的服务器上的容器Spring-Boot Java
内运行应用程序。Docker
CentOS 7
[root@dev-machine ~]# rpm --query centos-release
centos-release-7-5.1804.4.el7.centos.x86_64
我想发送有关用户注册的电子邮件,但它只能在本地工作,不能在服务器上工作。所以我认为防火墙规则可能缺失或有问题。
这是输出iptables -S
:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-f0479a22f469 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-f0479a22f469 -j DOCKER
-A FORWARD -i br-f0479a22f469 ! -o br-f0479a22f469 -j ACCEPT
-A FORWARD -i br-f0479a22f469 -o br-f0479a22f469 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-3d65bc697485 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-3d65bc697485 -j DOCKER
-A FORWARD -i br-3d65bc697485 ! -o br-3d65bc697485 -j ACCEPT
-A FORWARD -i br-3d65bc697485 -o br-3d65bc697485 -j ACCEPT
-A FORWARD -o br-e9afb76ffa7a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e9afb76ffa7a -j DOCKER
-A FORWARD -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j ACCEPT
-A FORWARD -i br-e9afb76ffa7a -o br-e9afb76ffa7a -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-e9afb76ffa7a -o br-e9afb76ffa7a -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.20.0.2/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8761 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-f0479a22f469 ! -o br-f0479a22f469 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-3d65bc697485 ! -o br-3d65bc697485 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-f0479a22f469 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e9afb76ffa7a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-3d65bc697485 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
这是的输出iptables-save -C
[root@dev-machine ~]# iptables-save -c
# Generated by iptables-save v1.4.21 on Sat Sep 15 13:38:03 2018
*nat
:PREROUTING ACCEPT [19421:2552711]
:INPUT ACCEPT [18758:2423782]
:OUTPUT ACCEPT [39206:2367366]
:POSTROUTING ACCEPT [39206:2367366]
:DOCKER - [0:0]
[39177:2349612] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[44:2790] -A POSTROUTING -s 172.20.0.0/16 ! -o br-f0479a22f469 -j MASQUERADE
[2396:157880] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[62:3999] -A POSTROUTING -s 172.19.0.0/16 ! -o br-3d65bc697485 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-e9afb76ffa7a -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.2/32 -d 172.20.0.2/32 -p tcp -m tcp --dport 8761 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.5/32 -d 172.20.0.5/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
[0:0] -A DOCKER -i br-f0479a22f469 -j RETURN
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-e9afb76ffa7a -j RETURN
[0:0] -A DOCKER -i br-3d65bc697485 -j RETURN
[0:0] -A DOCKER ! -i br-e9afb76ffa7a -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.18.0.2:9000
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.2:5000
[0:0] -A DOCKER ! -i br-f0479a22f469 -p tcp -m tcp --dport 8761 -j DNAT --to-destination 172.20.0.2:8761
[0:0] -A DOCKER ! -i br-f0479a22f469 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.20.0.5:8080
COMMIT
# Completed on Sat Sep 15 13:38:03 2018
# Generated by iptables-save v1.4.21 on Sat Sep 15 13:38:03 2018
*filter
:INPUT ACCEPT [495382:341584285]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [448313:353150279]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[1853096:1761639004] -A FORWARD -j DOCKER-USER
[1853096:1761639004] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[82:10098] -A FORWARD -o br-f0479a22f469 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-f0479a22f469 -j DOCKER
[116:11141] -A FORWARD -i br-f0479a22f469 ! -o br-f0479a22f469 -j ACCEPT
[0:0] -A FORWARD -i br-f0479a22f469 -o br-f0479a22f469 -j ACCEPT
[4610393:6820102985] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[2710958:152407715] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[186:20837] -A FORWARD -o br-3d65bc697485 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-3d65bc697485 -j DOCKER
[248:27845] -A FORWARD -i br-3d65bc697485 ! -o br-3d65bc697485 -j ACCEPT
[0:0] -A FORWARD -i br-3d65bc697485 -o br-3d65bc697485 -j ACCEPT
[0:0] -A FORWARD -o br-e9afb76ffa7a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-e9afb76ffa7a -j DOCKER
[0:0] -A FORWARD -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j ACCEPT
[0:0] -A FORWARD -i br-e9afb76ffa7a -o br-e9afb76ffa7a -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.2/32 ! -i br-e9afb76ffa7a -o br-e9afb76ffa7a -p tcp -m tcp --dport 9000 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
[0:0] -A DOCKER -d 172.20.0.2/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8761 -j ACCEPT
[0:0] -A DOCKER -d 172.20.0.5/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8080 -j ACCEPT
[116:11141] -A DOCKER-ISOLATION-STAGE-1 -i br-f0479a22f469 ! -o br-f0479a22f469 -j DOCKER-ISOLATION-STAGE-2
[2710958:152407715] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j DOCKER-ISOLATION-STAGE-2
[152:17009] -A DOCKER-ISOLATION-STAGE-1 -i br-3d65bc697485 ! -o br-3d65bc697485 -j DOCKER-ISOLATION-STAGE-2
[7321815:6972561781] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-f0479a22f469 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-e9afb76ffa7a -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-3d65bc697485 -j DROP
[2711226:152435865] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[16330669:15452836360] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Sat Sep 15 13:38:03 2018
[root@dev-machine ~]#
参与发送邮件的容器运行在172.20.0.5 8080:8080
我发现了几个类似的问题:
- https://stackoverflow.com/questions/25484498/mail-blocked-by-firewall
- 如何在 iptables Debian Linux 上允许传出 SMTP
这些问题建议启用传出流量,但就我而言,它似乎已经打开。有什么遗漏或者错误的地方吗?
此处,Spring-Boot
如果需要,该属性(目前它特定于 gmail,但将来必须可以通过环境变量为每个 SMTP 配置):
mail:
host: smtp.gmail.com
port: 587
username: ${EMAIL_USERNAME}
password: ${EMAIL_PASSWORD}
protocol: smtp
tls: true
auth: true
properties.mail.smtp:
auth: true
starttls.enable: true
ssl.trust: smtp.gmail.com