我正在运行格罗西码头工人容器在 Raspberry Pi 2 [全新安装的 Raspbian] 上;容器正在运行,端口80映射到9283主机上的端口:
- 通过以下方式验证容器是否正在运行
docker ps:CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 473614c3f885 ghcr.io/linuxserver/grocy "/init" 16 hours ago Up 15 hours 443/tcp, 6781/tcp, 0.0.0.0:9283->80/tcp grocy - 验证端口
9283是否打开并且正在监听sudo iptables -L:Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:9283sudo netstat -pant:Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9283 0.0.0.0:* LISTEN 632/docker-proxy tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 428/sshd tcp 0 0 192.168.1.40:22 192.168.1.11:58703 ESTABLISHED 1708/sshd: pi [priv tcp6 0 0 :::22 :::* LISTEN 428/sshd - 我可以连接到
127.0.0.1,但是连接到192.168.1.40[Pi] 被拒绝,无论是在 Pi 本身还是从我的本地网络wget 127.0.0.1:9283::--2021-03-06 10:49:51-- http://127.0.0.1:9283/ Connecting to 127.0.0.1:9283... connected. HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.wget 192.168.1.40:9283:--2021-03-06 10:52:09-- http://192.168.1.40:9283/ Connecting to 192.168.1.40:9283... failed: Connection refused.
我已阅读此问题的答案问题,但是因为端口正在监听,我假设 Pi 上的防火墙正在阻止该端口,而且我不知道如何打开该端口(22SSH 端口已打开,但未出现在中iptables)。
某处是否还有另一层端口阻塞?
iptables -L:Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:9283 Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (2 references) target prot opt source destination ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywherenft list ruleset:table ip filter { chain INPUT { type filter hook input priority 0; policy accept; iifname "eth0" meta l4proto tcp tcp dport 9283 counter packets 0 bytes 0 accept } chain FORWARD { type filter hook forward priority 0; policy drop; counter packets 0 bytes 0 jump DOCKER-USER counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state related,established counter packets 0 bytes 0 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept oifname "br-3075040908de" ct state related,established counter packets 0 bytes 0 accept oifname "br-3075040908de" counter packets 0 bytes 0 jump DOCKER iifname "br-3075040908de" oifname != "br-3075040908de" counter packets 0 bytes 0 accept iifname "br-3075040908de" oifname "br-3075040908de" counter packets 0 bytes 0 accept } chain OUTPUT { type filter hook output priority 0; policy accept; } chain DOCKER { iifname != "br-3075040908de" oifname "br-3075040908de" meta l4proto tcp ip daddr 172.18.0.2 tcp dport 80 counter packets 0 bytes 0 accept } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 iifname "br-3075040908de" oifname != "br-3075040908de" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 counter packets 0 bytes 0 return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter packets 0 bytes 0 drop oifname "br-3075040908de" counter packets 0 bytes 0 drop counter packets 0 bytes 0 return } chain DOCKER-USER { counter packets 0 bytes 0 return } } table ip6 filter { chain INPUT { type filter hook input priority 0; policy accept; } chain FORWARD { type filter hook forward priority 0; policy accept; } chain OUTPUT { type filter hook output priority 0; policy accept; } } table ip nat { chain PREROUTING { type nat hook prerouting priority -100; policy accept; fib daddr type local counter packets 2 bytes 104 jump DOCKER } chain INPUT { type nat hook input priority 100; policy accept; } chain POSTROUTING { type nat hook postrouting priority 100; policy accept; oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade oifname != "br-3075040908de" ip saddr 172.18.0.0/16 counter packets 0 bytes 0 masquerade meta l4proto tcp ip saddr 172.18.0.2 ip daddr 172.18.0.2 tcp dport 80 counter packets 0 bytes 0 masquerade } chain OUTPUT { type nat hook output priority -100; policy accept; ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER } chain DOCKER { iifname "docker0" counter packets 0 bytes 0 return iifname "br-3075040908de" counter packets 0 bytes 0 return iifname != "br-3075040908de" meta l4proto tcp tcp dport 9283 counter packets 0 bytes 0 dnat to 172.18.0.2:80 } }