Docker 容器公开的端口显示为已过滤 - 无法连接

tag-icon tag-icon networking iptables docker containers
Docker 容器公开的端口显示为已过滤 - 无法连接

我正在全新安装 Ubuntu 20.04 的服务器上工作,
我通过运行端口 80 启动了一个示例 nginx,docker run --rm -p 80:80 nginx
该机器上似乎已打开,curl但我无法访问 nginx 默认页面:

$ nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-15 13:06 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000077s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:25:90:d7:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 81.169.xxx.xxx/32 scope global dynamic eno1
       valid_lft 60728sec preferred_lft 60728sec
    inet6 fe80::225:90ff:xxxx:xxxx/64 scope link
       valid_lft forever preferred_lft forever
3: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 00:25:90:d7:xx:xx brd ff:ff:ff:ff:ff:ff
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:70:d9:xx:xx brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:70ff:xxxx:xxxx/64 scope link
       valid_lft forever preferred_lft forever
48: br-49042740d2e8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:63:fe:xx:xx brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:63ff:xxxx:xxxx/64 scope link
       valid_lft forever preferred_lft forever
68: veth17ce2e9@if67: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether d6:e2:53:0b:xx:xx brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::d4e2:53ff:xxxx:xxxx/64 scope link
       valid_lft forever preferred_lft forever


# Generated by iptables-save v1.8.4 on Sun Nov 15 13:00:57 2020
*filter
:INPUT ACCEPT [151:14142]
:FORWARD DROP [15:780]
:OUTPUT ACCEPT [123:16348]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-49042740d2e8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-49042740d2e8 -j DOCKER
-A FORWARD -i br-49042740d2e8 ! -o br-49042740d2e8 -j ACCEPT
-A FORWARD -i br-49042740d2e8 -o br-49042740d2e8 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-49042740d2e8 ! -o br-49042740d2e8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-49042740d2e8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Nov 15 13:00:57 2020
# Generated by iptables-save v1.8.4 on Sun Nov 15 13:00:57 2020
*nat
:PREROUTING ACCEPT [20:1254]
:INPUT ACCEPT [20:1254]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.19.0.0/16 ! -o br-49042740d2e8 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i br-49042740d2e8 -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.2:80
COMMIT
# Completed on Sun Nov 15 13:00:57 2020

我无法从本地计算机连接到服务器。端口显示为filtered

$ nmap example.de -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-15 14:12 CET
Nmap scan report for example.de (81.169.xxx.xxx)
Host is up (0.037s latency).
rDNS record for 81.169.xxx.xxx: h290xxxx.stratoserver.net
Not shown: 994 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   filtered http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
9876/tcp filtered sd

Nmap done: 1 IP address (1 host up) scanned in 2.67 seconds

在网络模式下运行容器host按预期工作,我可以通过 localhost 和在本地机器上访问 nginx 默认页面。
docker run --rm --network host nginx

为什么端口暴露没有按预期工作?我该如何修复这个问题/进一步分析这个问题?

相关内容