我已经在 iptables 中打开了端口 8080,并且正在启动一个 nextcloud 容器,其中端口 8080 公开并路由到容器内端口 80 上的 nextcloud 服务器。
当我在本地运行 docker 时,我无法访问 localhost:8080;当我在远程服务器上运行 docker 时,我无法访问 server_ip:8080,即使我的端口 8080 是打开的。
在我运行脚本配置防火墙后,Docker 已经修改了 iptables。
我应该如何更改链规则以使其接受与 Docker 容器的连接?(如果我将 INPUT 策略设置为 ACCEPT,则可以在 localhost:8080 上访问 nextcloud,但如果我将 INPUT 策略设置为接受,则无法在 server_ip:8080 上访问...)
谢谢
这是 iptables 脚本:
#/bin/bash
set -ex
# Flush all existing rules, chains, and tables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
############### INPUT chain
## drop icmp
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
## drop scans XMAS and NULL.
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## drop broadcast
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
## allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
## allow local loopback
iptables -I INPUT -i lo -j ACCEPT
#Server rules
iptables -A INPUT -p tcp -m tcp --dport 22 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -i enp53s0 -j ACCEPT
# Drop invalid packets
iptables -A INPUT -m state --state INVALID -i enp53s0 -j DROP
## On log les paquets en entrée.
iptables -A INPUT -j LOG
############### OUTPUT chain
# Allow outgoing traffic on the loopback interface
iptables -A OUTPUT -o lo -j ACCEPT
# allow outgoing connection for dns requests, time synchro on enp53s0 interface
iptables -A OUTPUT -p udp -m udp --dport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 123 -o enp53s0 -j ACCEPT
# allow connections on source and destination specific ports on enp53s0 interface
iptables -A OUTPUT -p tcp -m tcp --sport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 80 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 8080 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 443 -o enp53s0 -j ACCEPT
# allow ping in output chain
iptables -A OUTPUT -p icmp --icmp-type echo-request -o enp53s0 -j ACCEPT
iptables --list 显示以下输出:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere icmp echo-request
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:FIN,PSH,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:SYN,RST/SYN,RST
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
DROP all -- anywhere anywhere state INVALID
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain DOCKER (3 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere