在 Debian 10 buster 上,我遇到了 docker 容器无法 ping docker 主机甚至 docker 网桥接口的问题,但能够访问互联网。
允许访问(如此处相关问题中所示)并不能解决我的情况。似乎与 iptables/nftables 相关,如果我能首先弄清楚如何记录错误,我可能可以弄清楚该怎么做。
DOCKER-USER我在和中都输入了日志规则INPUT,
nft insert rule ip filter DOCKER-USER counter log但它们都显示记录了 0 个数据包。
/var/log/kern.log不显示任何防火墙相关信息,journalctl -k.
使用该系统查看防火墙活动的新方法如何nftables?
nft list ip table filter
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
ct state invalid counter packets 80 bytes 3200 drop
iifname "vif*" meta l4proto udp udp dport 68 counter packets 0 bytes 0 drop
ct state related,established counter packets 9479197 bytes 17035404271 accept
iifname "vif*" meta l4proto icmp counter packets 0 bytes 0 accept
iifname "lo" counter packets 9167 bytes 477120 accept
iifname "vif*" counter packets 0 bytes 0 reject with icmp type host-prohibited
counter packets 28575 bytes 1717278 drop
counter packets 0 bytes 0 log
counter packets 0 bytes 0 log
iifname "docker0" counter packets 0 bytes 0 accept
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
counter packets 880249 bytes 851779418 jump DOCKER-ISOLATION-STAGE-1
oifname "br-cc7b89b40bee" ct state related,established counter packets 7586 bytes 14719677 accept
oifname "br-cc7b89b40bee" counter packets 0 bytes 0 jump DOCKER
iifname "br-cc7b89b40bee" oifname != "br-cc7b89b40bee" counter packets 5312 bytes 2458488 accept
iifname "br-cc7b89b40bee" oifname "br-cc7b89b40bee" counter packets 0 bytes 0 accept
oifname "br-d41d1510d330" ct state related,established counter packets 8330 bytes 7303256 accept
oifname "br-d41d1510d330" counter packets 0 bytes 0 jump DOCKER
iifname "br-d41d1510d330" oifname != "br-d41d1510d330" counter packets 7750 bytes 7569465 accept
iifname "br-d41d1510d330" oifname "br-d41d1510d330" counter packets 0 bytes 0 accept
oifname "br-79fccb9a0478" ct state related,established counter packets 11828 bytes 474832 accept
oifname "br-79fccb9a0478" counter packets 11796 bytes 707760 jump DOCKER
iifname "br-79fccb9a0478" oifname != "br-79fccb9a0478" counter packets 7 bytes 526 accept
iifname "br-79fccb9a0478" oifname "br-79fccb9a0478" counter packets 11796 bytes 707760 accept
counter packets 1756295 bytes 1727495359 jump DOCKER-USER
oifname "docker0" ct state related,established counter packets 1010328 bytes 1597833795 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 284235 bytes 16037499 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 drop
ct state related,established counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump QBS-FORWARD
iifname "vif*" oifname "vif*" counter packets 0 bytes 0 drop
iifname "vif*" counter packets 0 bytes 0 accept
counter packets 0 bytes 0 drop
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
chain QBS-FORWARD {
}
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "br-cc7b89b40bee" oifname != "br-cc7b89b40bee" counter packets 5312 bytes 2458488 jump DOCKER-ISOLATION-STAGE-2
iifname "br-d41d1510d330" oifname != "br-d41d1510d330" counter packets 7750 bytes 7569465 jump DOCKER-ISOLATION-STAGE-2
iifname "br-79fccb9a0478" oifname != "br-79fccb9a0478" counter packets 7 bytes 526 jump DOCKER-ISOLATION-STAGE-2
iifname "docker0" oifname != "docker0" counter packets 590138 bytes 34612496 jump DOCKER-ISOLATION-STAGE-2
counter packets 1808904 bytes 1760729363 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "br-cc7b89b40bee" counter packets 0 bytes 0 drop
oifname "br-d41d1510d330" counter packets 0 bytes 0 drop
oifname "br-79fccb9a0478" counter packets 0 bytes 0 drop
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 644929 bytes 74784737 return
}
chain DOCKER-USER {
counter packets 0 bytes 0 log
iifname "docker0" counter packets 305903 bytes 18574997 accept
counter packets 1450392 bytes 1708920362 return
}
}
答案1
您可以使用nftrace跟踪数据包流。它非常详细,但不会进入内核日志,而是通过多播 netlink 套接字分发(即,如果没有任何东西监听它们,则跟踪只会进入“/dev/null”)。
如果你真的想追踪一切,请追踪预路由和输出处于低优先级。最好使用单独的表格,因为您显示的nft list ip table filter实际上是nftables 上的 iptables与 xt 匹配层 API 的兼容性,不应被篡改(但可以安全地沿迹线使用)。另外你应该知道 iptables 可能还有其他表,比如纳特桌子。
traceall.nft因此,使用加载的文件中的规则集nft -f traceall.nft:
table ip traceall
delete table ip traceall
table ip traceall {
chain prerouting {
type filter hook prerouting priority -350; policy accept;
meta nftrace set 1
}
chain output {
type filter hook output priority -350; policy accept;
meta nftrace set 1
}
}
您现在可以使用以下命令跟踪这些(非常详细的)IPv4 跟踪:
nft monitor trace
如果在容器内执行此操作(日志目标通常不是这种情况),这甚至会起到相同的作用。
您可以在其他地方激活这些跟踪,或者在激活它们之前将条件放在稍后优先级的规则中,以避免跟踪所有钩子/链。遵循此示意图将有助于理解事件的顺序:Netfilter 和通用网络中的数据包流。
如果选择使用等效的-j TRACE目标在iptables,还请咨询该人xtables-monitor, 因为nftables 上的 iptables改变其行为(相比iptables-旧版)。
当我回答OP的问题时,以下是关于问题和日志问题的疯狂猜测:
如果 Docker 本身在容器中运行,则日志可能不可用。它们可以提供给主机,以及所有容器允许查询内核消息,
sysctl -w net.netfilter.nf_log_all_netns=1因为内核消息没有命名空间实例。柜台在日志统治ip过滤输入为零,而前一条规则的计数器带有降低声明不是。这意味着日志规则制定得太晚了:之后降低。这日志规则(或者更确切地说iptables的
-j LOG) 应插入前决赛降低语句,不附加在永远无法到达的位置之后。关于 Docker 的唯一输入规则是
iifname "docker0" counter packets 0 bytes 0 accept。如果容器不在默认的 Docker 网络上,则没有规则允许它们到达主机。尝试添加一条规则来测试这一点。确保结果插入到之前降低规则。使用iptables,避免添加规则nftables这可能不兼容nftables 上的 iptables:
iptables -I INPUT 8 -i "br-*" -j ACCEPT