FirewallD docker 无法访问受信任区域中的 IP

FirewallD docker 无法访问受信任区域中的 IP

我正在使用 FirewallD 版本 1.1.1 和 Ubuntu 版本 22.04.2 LTS,当我将 IP 添加到受信任区域时,它会被 docker 区域阻止。

知道为什么会发生这种情况吗?以及我该如何解决它。

这是我的防火墙配置。

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-1d3369241dbf br-2441d78a6847 br-41ed9dc53492 docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

nm-shared
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcp dns ssh
  ports: 
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule priority="32767" reject

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0f0
  sources: 
  services: custom--2406-3546 custom--25565-25567 custom--31195-31195 custom--64306-64306 custom--8123 custom--8803-8804 custom--http-alt dhcpv6-client ssh
  ports: 80/tcp 443/tcp 2022/tcp 7552/tcp 7552/udp 31194/udp 31194/tcp 31195/tcp 31195/udp
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: <IP1>
  services: custom--81
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

这是输出docker network inspect bridge

[
    {
        "Name": "bridge",
        "Id": "7a4c15265efd8957091d9311bbeb98bd438d71314c7c2e457c8dc551896b9152",
        "Created": "2023-05-26T05:41:34.923141769Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": true,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                },
                {
                    "Subnet": "fd00:dead:beef:c0::/80",
                    "Gateway": "fd00:dead:beef:c0::1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "8f1e9b77ca2b2b24a282b717b4fe17cab0d76f8f1279d3e3578a7d01fa303a9b": {
                "Name": "watchtower",
                "EndpointID": "5c2d2e29231df7af83b5fdadd73372ca3b46f5e4aaf29df1b7e04f2b0aa384c6",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": "fd00:dead:beef:c0:0:242:ac11:2/80"
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "false",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

更新1

到目前为止,我设法让事情正常运转,但我仍然不确定这是否是正确的方法

firewall-cmd --zone=trusted --remove-source=<IP2>

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -i br-2441d78a6847 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o br-2441d78a6847 -j ACCEPT

firewall-cmd --add-rich-rule='rule family=ipv4 source address=<IP2> accept' --permanent
firewall-cmd --zone=trusted --add-rich-rule='rule family=ipv4 source address=<IP2> accept' --permanent

相关内容