我的开发环境使用一个 docker swarm 节点,里面有多个微服务。我需要让我的机器上运行的微服务与 docker 内部运行的微服务进行通信,但是我在正确路由包方面遇到了一些问题。当我重新启动 docker 服务器时,容器的 ip 地址会发生变化,因此我尝试使用网关来路由包。使用这些规则,我可以 ping 我想要的任何微服务:
sysctl net.ipv4.conf.all.forwarding=1
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -d 10.0.0.0/24 -j DNAT --to-destination 172.18.0.1
如您所见,微服务在 10.0.0.0/24 网络中运行,我正在使用网关的 IP 172.18.0.1。问题是我找不到处理响应包的方法,因为我不知道应该将哪个源放入规则中:
sudo iptables -t nat -A POSTROUTING -s 172.18.0.1 -j SNAT --to-source IP
有没有办法标记数据包并根据此标记设置源 IP?我该怎么做才能正确路由?
答案1
我将 DNAT 规则改为指向 172.18.0.2,因为这是 Docker 用于映射所有节点端口的 ip,删除了所有 POSTROUTING 规则,并且只为所有数据包添加了伪装:
sysctl net.ipv4.conf.all.forwarding=1
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -d 10.0.0.0/24 -j DNAT --to-destination 172.18.0.2
#delete existent POSTROUTING rule (only the rule at line one)
iptables -t nat -D POSTROUTING 1
#add masquerade rule for all
iptables -t nat -A POSTROUTING -j MASQUERADE
最终的 NAT 表如下:
Chain PREROUTING (policy ACCEPT 840 packets, 89942 bytes)
num pkts bytes target prot opt in out source destination
1 606 42480 DOCKER-INGRESS all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 353 27496 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
3 9 540 DNAT all -- * * 0.0.0.0/0 10.0.0.0/24 to:172.18.0.2
Chain INPUT (policy ACCEPT 402 packets, 61889 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 1200 bytes)
num pkts bytes target prot opt in out source destination
1 20 1200 DOCKER-INGRESS all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 1 60 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 710 44373 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 RETURN all -- ecommerce_br0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 RETURN all -- docker_gwbridge * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-INGRESS (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 to:172.18.0.2:8089
2 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8084 to:172.18.0.2:8084
3 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083 to:172.18.0.2:8083
4 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 to:172.18.0.2:8082
5 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:172.18.0.2:8081
6 8 480 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:172.18.0.2:8080
7 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8079 to:172.18.0.2:8079
8 3 180 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2181 to:172.18.0.2:2181
9 72 4320 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9092 to:172.18.0.2:9092
10 108 6480 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8761 to:172.18.0.2:8761
11 73 4380 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432 to:172.18.0.2:5432
12 362 27840 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0