我有一个 VPN 接口nordlynx、默认接口ens5和一个 docker 桥接接口br-83e694bd09ad。目前,该nordlynx接口没有任何流量通过它路由,但是确实curl --interface nordlynx https://ifconfig.io可以通过 VPN 网络发送请求(发回 VPN 服务器的 IP 地址),而简单的直接通过(显示服务器的实际IP 地址curl https://ifconfig.io)发送请求ens5知识产权)。
我需要实现的是以某种方式通过接口发送来自/到该 docker 接口的所有流量nordlynx(使使用此网桥的 docker 容器只能通过 VPN 访问互联网),而不是直接通过默认ens5。然而,服务器上的其余“常规”流量应该ens5像往常一样继续使用该接口,只有 docker 流量应该被路由(我需要任何人仍然能够访问服务器的公开端口,例如 SSH,并且服务器使用真实 IP 与其他设备通信 - 即不通过 VPN)。
根据我的研究,docker 本身似乎没有任何简单的配置选项可以用来实现这一点,所以我希望我可以以某种方式使用常规的 Linux 路由或 iptables 规则。但是我不知道这里有那么多经验,而且我无法找到任何有关如何实现这种配置的指南。
这是当前的输出ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 06:1b:b3:94:71:50 brd ff:ff:ff:ff:ff:ff
altname enp0s5
altname eni-03a0757ebcb70f7cd
altname device-number-0
inet 172.31.34.89/20 metric 512 brd 172.31.47.255 scope global dynamic ens5
valid_lft 2072sec preferred_lft 2072sec
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:eb:b8:73:77 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
42: br-0c64a34b621d: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:a4:56:d1:4e brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-0c64a34b621d
valid_lft forever preferred_lft forever
45: br-83e694bd09ad: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:48:a7:8b:ba brd ff:ff:ff:ff:ff:ff
inet 10.6.0.1/16 brd 10.6.255.255 scope global br-83e694bd09ad
valid_lft forever preferred_lft forever
54: nordlynx: <POINTOPOINT,UP,LOWER_UP> mtu 8921 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.5.0.2/32 scope global nordlynx
valid_lft forever preferred_lft forever
这是ip route show输出:
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.34.89 metric 512
10.6.0.0/16 dev br-83e694bd09ad proto kernel scope link src 10.6.0.1 linkdown
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.19.0.0/16 dev br-0c64a34b621d proto kernel scope link src 172.19.0.1 linkdown
172.31.0.2 via 172.31.32.1 dev ens5 proto dhcp src 172.31.34.89 metric 512
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.34.89 metric 512
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.34.89 metric 512
输出ip -details link show dev nordlynx:
55: nordlynx: <POINTOPOINT,UP,LOWER_UP> mtu 8921 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none promiscuity 0 minmtu 0 maxmtu 2147483552
wireguard addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
输出ip rule:
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
输出ip route show table local:
local 10.5.0.2 dev nordlynx proto kernel scope host src 10.5.0.2
local 10.6.0.1 dev br-83e694bd09ad proto kernel scope host src 10.6.0.1
broadcast 10.6.255.255 dev br-83e694bd09ad proto kernel scope link src 10.6.0.1 linkdown
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 172.17.0.1 dev docker0 proto kernel scope host src 172.17.0.1
broadcast 172.17.255.255 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
local 172.19.0.1 dev br-0c64a34b621d proto kernel scope host src 172.19.0.1
broadcast 172.19.255.255 dev br-0c64a34b621d proto kernel scope link src 172.19.0.1 linkdown
local 172.31.34.89 dev ens5 proto kernel scope host src 172.31.34.89
broadcast 172.31.47.255 dev ens5 proto kernel scope link src 172.31.34.89
输出ip route show table main:
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.34.89 metric 512
10.6.0.0/16 dev br-83e694bd09ad proto kernel scope link src 10.6.0.1 linkdown
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.19.0.0/16 dev br-0c64a34b621d proto kernel scope link src 172.19.0.1 linkdown
172.31.0.2 via 172.31.32.1 dev ens5 proto dhcp src 172.31.34.89 metric 512
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.34.89 metric 512
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.34.89 metric 512
输出ip route show table default:
Error: ipv4: FIB table does not exist.
Dump terminated