我有一个带有两个网卡的主机,一个叫做 eth0,另一个叫做 eth1。
eth0 是本地局域网,没有 iptables 过滤器。eth1 是广域网,并且有 iptables 丢弃所有内容。
另外,我有一个在端口 80 上运行服务的 docker。
当我运行docker时,我将端口8086映射到80。然后我使用以下命令打开防火墙:
iptables -I INPUT 1 -p tcp -m tcp --dport 8086 -j ACCEPT
结果是:我可以从内部局域网的预期端口 8086 访问服务,而 WAN 没有响应。
我已经使用以下命令测试了广域网卡中的流量:
tcpdump -i any -n port 8086
我遗漏了一些东西,我怎样才能打开那个端口?
的结果
iptables -L
是:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:8086
ACCEPT tcp -- anywhere anywhere tcp dpt:466
ACCEPT tcp -- anywhere anywhere tcp dpt:1521
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:12540
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:https
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
我怎样才能将该端口公开给公共广域网?
答案1
没有答案,所以我要评论我的解决方法,这不是想要的答案,但没关系。
我最终设置了一个 nginx 作为反向代理监听所有接口。这对我来说是有效的,因为它是 http 流量。