这是我在这里的第一篇帖子,希望我能做得很好!
我正在迁移到一个新的 vps,它运行在 CentOS Linux 版本 7.9.2009(核心)上,不幸的是,主机不允许我更改为我更熟悉的发行版,例如 debian,否则会丢失他们提供的 cpanel/whm 许可证。
我不是一名 DevOps 人员,我是一名前端开发人员,所以我在这方面没有太多的知识和经验,我只是想安装 docker 并运行一些容器。
问题是所有容器都无法解析任何 DNS。它们可以正常 ping 任何 IP,但无论尝试哪个域,都只会给我一个“错误地址”。
在主机端,一切正常,容器上创建的 resolv.conf 与主机的原始文件完全相同。
search hostgator_br.com
nameserver 8.8.8.8
nameserver 8.8.4.4
如果我使用--network host运行容器,dns就可以工作。
我已经尝试了研究此问题时发现的一些方法,例如查找防火墙定义(firewall-cmd 甚至未安装),并尝试在 daemon.json 上强制使用不同的 dns 设置,但问题似乎与其他内容有关,例如创建的 docker 桥接接口(docker0)
我真的不知道还应该尝试什么,而且我已经花了一整天的时间却没有任何进展=/
请帮助这个新手实现这个有点简单的目标。
更新
如果我禁用 iptables,一切都会正常运行,因此可能是某些规则阻止了 dns 解析,但我不知道规则是什么,以及如何修复它。
这是
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- bl16-114-196.dsl.telepac.pt anywhere
ACCEPT all -- wz.hostgator.com.br anywhere /* allow Wizard/Eigsh */
ACCEPT all -- financeiro.hostgator.com.br anywhere /* allow Painel */
ACCEPT all -- anywhere anywhere /* Inbound Allow lo */
ACCEPT tcp -- anywhere anywhere tcp dpts:ndmps:65534
tcpchk tcp -- anywhere anywhere
udpchk udp -- anywhere anywhere
input_custom all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: up to 2/sec burst 10 mode srcip
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 5/min burst 5 LOG level error prefix "ICMP_DROP "
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp port-unreachable
ACCEPT icmp -- anywhere anywhere icmp host-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmptype 30
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- 173.245.48.0/20 anywhere tcp dpt:http
ACCEPT tcp -- 103.21.244.0/22 anywhere tcp dpt:http
ACCEPT tcp -- 103.22.200.0/22 anywhere tcp dpt:http
ACCEPT tcp -- 103.31.4.0/22 anywhere tcp dpt:http
ACCEPT tcp -- 141.101.64.0/18 anywhere tcp dpt:http
ACCEPT tcp -- 108.162.192.0/18 anywhere tcp dpt:http
ACCEPT tcp -- 190.93.240.0/20 anywhere tcp dpt:http
ACCEPT tcp -- 188.114.96.0/20 anywhere tcp dpt:http
ACCEPT tcp -- 197.234.240.0/22 anywhere tcp dpt:http
ACCEPT tcp -- 198.41.128.0/17 anywhere tcp dpt:http
ACCEPT tcp -- 162.158.0.0/15 anywhere tcp dpt:http
ACCEPT tcp -- 104.16.0.0/13 anywhere tcp dpt:http
ACCEPT tcp -- 104.24.0.0/14 anywhere tcp dpt:http
ACCEPT tcp -- 172.64.0.0/13 anywhere tcp dpt:http
ACCEPT tcp -- vps-10665803.pjinformatica.org anywhere tcp dpt:http
ACCEPT tcp -- 198-1-121-202.unifiedlayer.com anywhere multiport dports ssh,http
ACCEPT icmp -- 198-1-121-202.unifiedlayer.com anywhere icmp echo-request
ACCEPT tcp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http
ACCEPT icmp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere icmp echo-request
ACCEPT tcp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http
ACCEPT icmp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:26
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:infowave
ACCEPT tcp -- anywhere anywhere tcp dpt:radsec
ACCEPT tcp -- anywhere anywhere tcp dpt:sunclustergeo
ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere tcp dpt:eli
ACCEPT tcp -- anywhere anywhere tcp dpt:sep
ACCEPT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1
ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-ser
ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-dir
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT udp -- dns.google anywhere udp spt:domain
ACCEPT tcp -- dns.google anywhere tcp spt:domain
ACCEPT udp -- dns.google anywhere udp spt:domain
ACCEPT tcp -- dns.google anywhere tcp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:22022
ACCEPT udp -- anywhere anywhere udp dpt:22022
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT udp -- anywhere anywhere udp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:hbci
ACCEPT udp -- anywhere anywhere udp dpt:hbci
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT udp -- anywhere anywhere udp dpt:webcache
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix "LOG_INPUT: "
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
tcpchk tcp -- anywhere anywhere
udpchk udp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* Outbound allow lo */
ACCEPT udp -- anywhere anywhere udp dpt:323 /* chronyd */
ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mailman
ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mail
ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner UID match root
tcpchk tcp -- anywhere anywhere
udpchk udp -- anywhere anywhere
output_custom all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED
ACCEPT icmp -- anywhere 198-1-121-202.unifiedlayer.com icmp echo-reply
ACCEPT icmp -- anywhere 54.e2.adb8.ip4.static.sl-reverse.com icmp echo-reply
ACCEPT icmp -- anywhere 32.e0.acb8.ip4.static.sl-reverse.com icmp echo-reply
ACCEPT udp -- anywhere anywhere udp dpt:saphostctrls
ACCEPT tcp -- anywhere anywhere tcp dpt:saphostctrls
ACCEPT udp -- anywhere anywhere udp dpt:30000
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmps
ACCEPT udp -- anywhere anywhere udp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT udp -- anywhere anywhere udp dpt:nicname
ACCEPT tcp -- anywhere anywhere tcp dpt:nicname
ACCEPT tcp -- anywhere anywhere tcp dpt:rsync
ACCEPT udp -- anywhere anywhere owner UID match root
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere gateway07.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway03.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway04.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway05.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway06.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway09.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway10.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway11.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway12.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway13.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway14.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway15.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway16.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway02.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway01.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway08.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp owner UID match mailnull
LOG tcp -- anywhere anywhere ! owner UID match root multiport dports smtp,urd,submission limit: avg 1/sec burst 5 LOG level notice prefix "OUTBOUND-SMTP : "
ACCEPT udp -- anywhere anywhere udp dpt:domain ! owner UID match nobody
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ! owner UID match nobody
ACCEPT udp -- anywhere dns.google udp dpt:domain
ACCEPT tcp -- anywhere dns.google tcp dpt:domain
ACCEPT udp -- anywhere dns.google udp dpt:domain
ACCEPT tcp -- anywhere dns.google tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain owner UID match nobody limit: avg 20/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp dpt:domain owner UID match nobody limit: avg 20/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere tcp dpt:eli
ACCEPT tcp -- anywhere anywhere tcp dpt:sep
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:time
ACCEPT tcp -- anywhere anywhere tcp dpt:sms-chat
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:22022
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
ACCEPT tcp -- anywhere anywhere tcp spt:26
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:pop3
ACCEPT tcp -- anywhere anywhere tcp spt:imap
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:urd
ACCEPT tcp -- anywhere anywhere tcp spt:submission
ACCEPT tcp -- anywhere anywhere tcp spt:infowave
ACCEPT tcp -- anywhere anywhere tcp spt:radsec
ACCEPT tcp -- anywhere anywhere tcp spt:sunclustergeo
ACCEPT tcp -- anywhere anywhere tcp spt:gnunet
ACCEPT tcp -- anywhere anywhere tcp spt:eli
ACCEPT tcp -- anywhere anywhere tcp spt:sep
ACCEPT tcp -- anywhere anywhere tcp spt:EtherNet/IP-1
ACCEPT tcp -- anywhere anywhere tcp spt:nbx-ser
ACCEPT tcp -- anywhere anywhere tcp spt:nbx-dir
ACCEPT tcp -- anywhere anywhere tcp spt:imaps
ACCEPT tcp -- anywhere anywhere tcp spt:pop3s
ACCEPT tcp -- anywhere 10.0.0.0/8 tcp dpt:50905
ACCEPT tcp -- anywhere anywhere tcp dpt:hbci
ACCEPT udp -- anywhere anywhere udp dpt:hbci
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT udp -- anywhere anywhere udp dpt:webcache
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix "LOG_OUTPUT: "
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
DROP all -- anywhere anywhere
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain icmpchk (0 references)
target prot opt source destination
Chain input_custom (1 references)
target prot opt source destination
Chain output_custom (1 references)
target prot opt source destination
Chain ssh (0 references)
target prot opt source destination
ACCEPT all -- supra.websitewelcome.com anywhere
ACCEPT all -- ce.2f.1732.ip4.static.sl-reverse.com anywhere
ACCEPT all -- wizard-backup.hostgator.com anywhere
ACCEPT all -- 216-106-185-169.ds1-static.mia1.net.ststelecom.com anywhere
ACCEPT all -- 12.96.160.0/24 anywhere
ACCEPT all -- 216.19.0.0/24 anywhere
ACCEPT all -- 162-241-18-61.unifiedlayer.com anywhere
ACCEPT all -- 162-214-41-61.unifiedlayer.com anywhere
tcp -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
LOG tcp -- anywhere anywhere state NEW recent: CHECK seconds: 60 hit_count: 10 name: DEFAULT side: source mask: 255.255.255.255 limit: avg 10/min burst 5 LOG level notice prefix "SSH-ATTACK : "
REJECT tcp -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source mask: 255.255.255.255 reject-with tcp-reset
ACCEPT tcp -- anywhere anywhere
Chain tcpchk (3 references)
target prot opt source destination
Chain udpchk (3 references)
target prot opt source destination