iptables 防火墙不允许端口 8080 上的连接,即使它已打开(docker)

iptables 防火墙不允许端口 8080 上的连接,即使它已打开(docker)

我已经在 iptables 中打开了端口 8080,并且正在启动一个 nextcloud 容器,其中端口 8080 公开并路由到容器内端口 80 上的 nextcloud 服务器。

当我在本地运行 docker 时,我无法访问 localhost:8080;当我在远程服务器上运行 docker 时,我无法访问 server_ip:8080,即使我的端口 8080 是打开的。

在我运行脚本配置防火墙后,Docker 已经修改了 iptables。

我应该如何更改链规则以使其接受与 Docker 容器的连接?(如果我将 INPUT 策略设置为 ACCEPT,则可以在 localhost:8080 上访问 nextcloud,但如果我将 INPUT 策略设置为接受,则无法在 server_ip:8080 上访问...)

谢谢

这是 iptables 脚本:

#/bin/bash
set -ex

# Flush all existing rules, chains, and tables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X


# set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT


############### INPUT chain
## drop icmp
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

##  drop scans XMAS and NULL.
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

## drop broadcast
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

## allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

## allow local loopback
iptables -I INPUT -i lo -j ACCEPT

#Server rules
iptables -A INPUT -p tcp -m tcp --dport 22 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -i enp53s0 -j ACCEPT

# Drop invalid packets
iptables -A INPUT -m state --state INVALID -i enp53s0 -j DROP

## On log les paquets en entrée.
iptables -A INPUT -j LOG


############### OUTPUT chain
# Allow outgoing traffic on the loopback interface
iptables -A OUTPUT -o lo -j ACCEPT

# allow outgoing connection for dns requests, time synchro on enp53s0 interface
iptables -A OUTPUT -p udp -m udp --dport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 123 -o enp53s0 -j ACCEPT

# allow connections on source and destination specific ports on enp53s0 interface
iptables -A OUTPUT -p tcp -m tcp --sport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 80 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 8080 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 443 -o enp53s0 -j ACCEPT

# allow ping in output chain
iptables -A OUTPUT -p icmp --icmp-type echo-request -o enp53s0 -j ACCEPT

iptables --list 显示以下输出:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       icmp --  anywhere             anywhere             icmp echo-request
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,PSH,URG/FIN,PSH,URG
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:SYN,RST/SYN,RST
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request

Chain DOCKER (3 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere   

相关内容