在我的主机中我有:
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "wlp2s0f0u8";
在我的容器中我定义了:
containers.nixbincache = {
privateNetwork = true;
hostAddress = "192.168.140.10";
localAddress = "192.168.140.11";
...
然而,容器无法从外部访问互联网。如何启用外部访问?
进行一些网络调试:
在容器上:
curl -v 116.203.70.99
在主机上:
sudo tshark -f "tcp port 80" -i ve-nixbincache
Running as user "root" and group "root". This could be dangerous.
Capturing on 've-nixbincache'
1 0.000000000 192.168.140.11 → 116.203.70.99 TCP 74 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266433161 TSecr=0 WS=128
2 1.062641113 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266434223 TSecr=0 WS=128
3 3.110640768 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266436271 TSecr=0 WS=128
4 7.142641875 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266440303 TSecr=0 WS=128
或与tcpdump:
sudo tcpdump -i ve-nixbincache
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ve-nixbincache, link-type EN10MB (Ethernet), capture size 262144 bytes
20:27:27.351572 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273487804 ecr 0,nop,wscale 7], length 0
20:27:28.399000 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273488851 ecr 0,nop,wscale 7], length 0
20:27:30.447027 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273490899 ecr 0,nop,wscale 7], length 0
20:27:32.367015 ARP, Request who-has blueberry tell nixbincache.containers, length 28
20:27:32.367029 ARP, Reply blueberry is-at 66:3f:59:d4:10:c5 (oui Unknown), length 28
20:27:34.479001 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273494931 ecr 0,nop,wscale 7], length 0
20:27:42.606992 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273503059 ecr 0,nop,wscale 7], length 0
在主机上:
iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 4487 packets, 758K bytes)
pkts bytes target prot opt in out source destination
4488 758K nixos-nat-pre all -- any any anywhere anywhere
2 120 DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17558 packets, 1296K bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 17584 packets, 1299K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any !docker0 172.17.0.0/16 anywhere
15 960 MASQUERADE all -- any !br-3a2c30a19c92 172.20.0.0/16 anywhere
34 2615 MASQUERADE all -- any !br-88eb2b109258 172.18.0.0/16 anywhere
42 3423 MASQUERADE all -- any !br-8510145730df 172.19.0.0/16 anywhere
17584 1299K LIBVIRT_PRT all -- any any anywhere anywhere
17604 1300K nixos-nat-post all -- any any anywhere anywhere
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 any anywhere anywhere
0 0 RETURN all -- br-3a2c30a19c92 any anywhere anywhere
0 0 RETURN all -- br-88eb2b109258 any anywhere anywhere
0 0 RETURN all -- br-8510145730df any anywhere anywhere
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any 192.168.122.0/24 base-address.mcast.net/24
0 0 RETURN all -- any any 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- any any 192.168.122.0/24 !192.168.122.0/24
Chain nixos-nat-post (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any wlp2s0f0u8 anywhere anywhere mark match 0x1
Chain nixos-nat-pre (1 references)
pkts bytes target prot opt in out source destination
72 5330 MARK all -- ve-+ any anywhere anywhere MARK set 0x1
在容器上:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.140.10 0.0.0.0 UG 0 0 0 eth0
192.168.140.10 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
在容器跟踪路由上:
[root@nixbincache:~]# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 _gateway (192.168.140.10) 0.043 ms 0.010 ms 0.009 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
答案1
它通过运行起作用iptables -t nat -A POSTROUTING -o wlp2s0f0u7 -j MASQUERADE。
这是输出的 iptable 规则:
sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 154 packets, 22783 bytes)
pkts bytes target prot opt in out source destination
203 29566 nixos-nat-pre all -- any any anywhere anywhere
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 26 packets, 2466 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 400 bytes)
pkts bytes target prot opt in out source destination
66 5673 nixos-nat-post all -- any any anywhere anywhere
25 2126 MASQUERADE all -- any wlp2s0f0u7 anywhere anywhere
Chain DOCKER (0 references)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_PRT (0 references)
pkts bytes target prot opt in out source destination
Chain nixos-nat-post (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any wlp2s0f0u8 anywhere anywhere mark match 0x1
Chain nixos-nat-pre (1 references)
pkts bytes target prot opt in out source destination
2 120 MARK all -- ve-+ any anywhere anywhere MARK set 0x1