我的 Docker 主机有多个正在运行的容器,我想通过我的wireguard 接口 wg0 访问它们。
他们可以通过接口访问恩普3s0其中有 192.168.0.12 但不在wireguard 接口上工作组0与 10.8.0.4
容器位于桥接网络 (172.17.0.0/16) 中,端口映射到监听所有接口的主机。
我找不到我的设置出了什么问题。可能是路由出了问题?
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
56f5793559ef gogs/gogs:latest "/app/gogs/docker/st…" 8 days ago Up 19 minutes 80/tcp, 443/tcp, 0.0.0.0:3000->3000/tcp, 0.0.0.0:2222->22/tcp Gogs
ef7aabd2a54d nextcloud:latest "/entrypoint.sh apac…" 8 days ago Up 19 minutes 0.0.0.0:8080->80/tcp Nextcloud
b591c364db96 mariadb:latest "docker-entrypoint.s…" 2 weeks ago Up 19 minutes 0.0.0.0:3306->3306/tcp MariaDB
7a7533d05ec2 portainer/portainer "/portainer" 2 weeks ago Up 19 minutes 0.0.0.0:9000->9000/tcp Portainer
# netstat -tulpn | grep docker
tcp6 0 0 :::9000 :::* LISTEN 30704/docker-proxy
tcp6 0 0 :::3306 :::* LISTEN 30782/docker-proxy
tcp6 0 0 :::2222 :::* LISTEN 30746/docker-proxy
tcp6 0 0 :::8080 :::* LISTEN 30851/docker-proxy
tcp6 0 0 :::3000 :::* LISTEN 30733/docker-proxy
# ip -o a s
1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever
1: lo inet6 ::1/128 scope host \ valid_lft forever preferred_lft forever
2: enp3s0 inet 192.168.0.12/24 brd 192.168.0.255 scope global dynamic enp3s0\ valid_lft 599865sec preferred_lft 599865sec
2: enp3s0 inet6 2a02:810d:8800:3e38::833e/128 scope global dynamic noprefixroute \ valid_lft 599865sec preferred_lft 599865sec
2: enp3s0 inet6 2a02:810d:8800:3e38:7285:c2ff:fe85:90ac/64 scope global dynamic mngtmpaddr noprefixroute \ valid_lft 298sec preferred_lft 298sec
2: enp3s0 inet6 fe80::7285:c2ff:fe85:90ac/64 scope link \ valid_lft forever preferred_lft forever
4: docker0 inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0\ valid_lft forever preferred_lft forever
4: docker0 inet6 fe80::42:b5ff:feaf:a693/64 scope link \ valid_lft forever preferred_lft forever
16: wg0 inet 10.8.0.4/32 scope global wg0\ valid_lft forever preferred_lft forever
28: veth34254e4 inet6 fe80::a88b:72ff:fee2:7c78/64 scope link \ valid_lft forever preferred_lft forever
30: veth5c409c5 inet6 fe80::2cff:8ff:fe14:395e/64 scope link \ valid_lft forever preferred_lft forever
32: vethc18f5bc inet6 fe80::ecc4:1eff:fedd:b881/64 scope link \ valid_lft forever preferred_lft forever
34: veth125baec inet6 fe80::20eb:b7ff:feaa:abb/64 scope link \ valid_lft forever preferred_lft forever
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default kabelbox.local 0.0.0.0 UG 100 0 0 enp3s0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0
kabelbox.local 0.0.0.0 255.255.255.255 UH 100 0 0 enp3s0
# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.5/32 -d 172.17.0.5/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 172.17.0.2:3306
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 172.17.0.3:3000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 172.17.0.3:22
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.4:80
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.5:9000