如何通过专用网络启用 nixos 容器的互联网访问

如何通过专用网络启用 nixos 容器的互联网访问

在我的主机中我有:

    networking.nat.enable = true;
    networking.nat.internalInterfaces = ["ve-+"];
    networking.nat.externalInterface = "wlp2s0f0u8";

在我的容器中我定义了:

  containers.nixbincache = {
    privateNetwork = true;
    hostAddress = "192.168.140.10";
    localAddress = "192.168.140.11";
...

然而,容器无法从外部访问互联网。如何启用外部访问?


进行一些网络调试:

在容器上:

curl -v 116.203.70.99

在主机上:

sudo tshark -f "tcp port 80" -i ve-nixbincache
Running as user "root" and group "root". This could be dangerous.
Capturing on 've-nixbincache'
    1 0.000000000 192.168.140.11 → 116.203.70.99 TCP 74 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266433161 TSecr=0 WS=128
    2 1.062641113 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266434223 TSecr=0 WS=128
    3 3.110640768 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266436271 TSecr=0 WS=128
    4 7.142641875 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266440303 TSecr=0 WS=128

或与tcpdump

sudo tcpdump -i ve-nixbincache
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ve-nixbincache, link-type EN10MB (Ethernet), capture size 262144 bytes
20:27:27.351572 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273487804 ecr 0,nop,wscale 7], length 0
20:27:28.399000 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273488851 ecr 0,nop,wscale 7], length 0
20:27:30.447027 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273490899 ecr 0,nop,wscale 7], length 0
20:27:32.367015 ARP, Request who-has blueberry tell nixbincache.containers, length 28
20:27:32.367029 ARP, Reply blueberry is-at 66:3f:59:d4:10:c5 (oui Unknown), length 28
20:27:34.479001 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273494931 ecr 0,nop,wscale 7], length 0
20:27:42.606992 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273503059 ecr 0,nop,wscale 7], length 0

在主机上:

iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 4487 packets, 758K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4488  758K nixos-nat-pre  all  --  any    any     anywhere             anywhere            
    2   120 DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 17558 packets, 1296K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  any    any     anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 17584 packets, 1299K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            
   15   960 MASQUERADE  all  --  any    !br-3a2c30a19c92  172.20.0.0/16        anywhere            
   34  2615 MASQUERADE  all  --  any    !br-88eb2b109258  172.18.0.0/16        anywhere            
   42  3423 MASQUERADE  all  --  any    !br-8510145730df  172.19.0.0/16        anywhere            
17584 1299K LIBVIRT_PRT  all  --  any    any     anywhere             anywhere            
17604 1300K nixos-nat-post  all  --  any    any     anywhere             anywhere            

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 any     anywhere             anywhere            
    0     0 RETURN     all  --  br-3a2c30a19c92 any     anywhere             anywhere            
    0     0 RETURN     all  --  br-88eb2b109258 any     anywhere             anywhere            
    0     0 RETURN     all  --  br-8510145730df any     anywhere             anywhere            

Chain LIBVIRT_PRT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     192.168.122.0/24     base-address.mcast.net/24 
    0     0 RETURN     all  --  any    any     192.168.122.0/24     255.255.255.255     
    0     0 MASQUERADE  tcp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  any    any     192.168.122.0/24    !192.168.122.0/24    

Chain nixos-nat-post (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    wlp2s0f0u8  anywhere             anywhere             mark match 0x1

Chain nixos-nat-pre (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   72  5330 MARK       all  --  ve-+   any     anywhere             anywhere             MARK set 0x1

在容器上:

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.140.10  0.0.0.0         UG    0      0        0 eth0
192.168.140.10  0.0.0.0         255.255.255.255 UH    0      0        0 eth0

在容器跟踪路由上:

[root@nixbincache:~]# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  _gateway (192.168.140.10)  0.043 ms  0.010 ms  0.009 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

答案1

它通过运行起作用iptables -t nat -A POSTROUTING -o wlp2s0f0u7 -j MASQUERADE

这是输出的 iptable 规则:

sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 154 packets, 22783 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  203 29566 nixos-nat-pre  all  --  any    any     anywhere             anywhere            

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 26 packets, 2466 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 2 packets, 400 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   66  5673 nixos-nat-post  all  --  any    any     anywhere             anywhere            
   25  2126 MASQUERADE  all  --  any    wlp2s0f0u7  anywhere             anywhere            

Chain DOCKER (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain LIBVIRT_PRT (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain nixos-nat-post (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    wlp2s0f0u8  anywhere             anywhere             mark match 0x1

Chain nixos-nat-pre (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 MARK       all  --  ve-+   any     anywhere             anywhere             MARK set 0x1

相关内容