我正在为我的 DOCKER 容器使用 LAMP 映像,并且在我的 apache access.log 中,所有请求都来自同一 IP 地址:172.17.0.1。这是桥接IP。我的问题是:是否可以将 IP 从 Synology 转发到 Docker 容器?或者也许我在这里做错了什么,并且我在容器/ Synology 配置中缺少某些内容?
根据 @SYN 关于 iptables 的建议 - 有人可以告诉我应该更改哪些规则以及更改哪些规则吗?
这是我在 Synology(Docker 主机)上的 nat 规则:
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DEFAULT_OUTPUT
-N DEFAULT_POSTROUTING
-N DEFAULT_PREROUTING
-N DOCKER
-A PREROUTING -j DEFAULT_PREROUTING
-A OUTPUT -j DEFAULT_OUTPUT
-A POSTROUTING -j DEFAULT_POSTROUTING
-A DEFAULT_OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
-A DEFAULT_POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A DEFAULT_POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DEFAULT_POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
-A DEFAULT_PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -p tcp -m tcp --dport 40001 -j DNAT --to-destination 172.17.0.2:3306
-A DOCKER -p tcp -m tcp --dport 40000 -j DNAT --to-destination 172.17.0.2:80
这是默认的表:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DEFAULT_FORWARD
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DEFAULT_FORWARD
-A DEFAULT_FORWARD -j DOCKER-USER
-A DEFAULT_FORWARD -j DOCKER-ISOLATION-STAGE-1
-A DEFAULT_FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DEFAULT_FORWARD -o docker0 -j DOCKER
-A DEFAULT_FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A DEFAULT_FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
以及详细输出:
admin@SynologyCluster:/$ sudo iptables -vL
Chain INPUT (policy ACCEPT 2954K packets, 2329M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DEFAULT_FORWARD all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 2741K packets, 16G bytes)
pkts bytes target prot opt in out source destination
Chain DEFAULT_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- any any anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:mysql
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere
admin@SynologyCluster:/$ sudo iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 10733 packets, 1338K bytes)
pkts bytes target prot opt in out source destination
342K 36M DEFAULT_PREROUTING all -- any any anywhere anywhere
Chain INPUT (policy ACCEPT 10702 packets, 1334K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8937 packets, 554K bytes)
pkts bytes target prot opt in out source destination
36669 2325K DEFAULT_OUTPUT all -- any any anywhere anywhere
Chain POSTROUTING (policy ACCEPT 8937 packets, 554K bytes)
pkts bytes target prot opt in out source destination
26637 1655K DEFAULT_POSTROUTING all -- any any anywhere anywhere
Chain DEFAULT_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
19352 1183K DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain DEFAULT_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:mysql
7 420 MASQUERADE all -- any docker0 anywhere anywhere ADDRTYPE match src-type LOCAL
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:http
Chain DEFAULT_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
234K 15M DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:40001 to:172.17.0.2:3306
12 720 DNAT tcp -- any any anywhere anywhere tcp dpt:40000 to:172.17.0.2:80
据我了解,我应该更改此 nat 规则:
-A DEFAULT_POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
我的想法正确吗?我现在还不确定,我不想把这一切搞砸了。
答案1
不确定这是否适用于您的情况,但它确实适用于我的 Pi-hole 查看客户端 IP(如所述这里):
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
请注意,这不是永久性的,因此如果您重新启动 NAS,则必须再次应用它。