调试防火墙障碍

tag-icon tag-icon linux ubuntu firewall azure
调试防火墙障碍

我在为我设置的 Azure Ubuntu 机器上运行了一个小型 docker 容器(端口 8080)。我能够通过 ssh 进入机器(端口 22),但无法从外部访问容器(但是从机器上 curl 可以工作)。我怀疑这与防火墙有关,可能是在 Azure 中,可能是在机器上,也可能是其他地方。我如何找出造成阻塞的原因?

我尝试在端口 80 上设置非 Docker 服务,只是为了调试一些东西。80 和 8080 都无法从外部访问。

netstat显示如下:

$ netstat -l -t -n
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 :::8080                 :::*                    LISTEN
tcp6       0      0 :::9200                 :::*                    LISTEN
tcp6       0      0 :::9300                 :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN

看起来是iptables这样的:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:http-alt

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

我从家里的 Windows 机器上运行tracert

$ tracert [redacted]

Tracing route to [redacted] over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  [redacted] [192.168.1.1]
  2     1 ms     2 ms     1 ms  [redacted].telia.com [x.y.z.1]
  3     7 ms     7 ms     7 ms  [redacted].telia.net [x.y.z.87]
  4     8 ms     8 ms    11 ms  [redacted].telia.net [x.y.z.158]
  5     8 ms     9 ms    15 ms  [redacted].telia.net [x.y.z.14]
  6     8 ms    12 ms     7 ms  [redacted].telia.net [x.y.z.179]
  7    10 ms     8 ms     8 ms  [redacted].telia.net [x.y.z.251]
  8    14 ms    18 ms    16 ms  [redacted].msn.net [x.y.z.146]
  9    38 ms    38 ms    38 ms  [redacted].msn.net [x.y.z.250]
 10    38 ms    38 ms    38 ms  [redacted].msn.net [x.y.z.131]
 11    38 ms    38 ms    38 ms  [redacted].msn.net [x.y.z.190]
 12    38 ms    38 ms    38 ms  [redacted].msn.net [x.y.z.214]
 13    37 ms    39 ms    37 ms  [redacted].msn.net [x.y.z.82]
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 ...

还能做什么来分析造成堵塞的原因?我遇到过这种情况很多次,但我从来没有找到办法自己找出问题的根源,所以非常感谢大家的帮助!

相关内容