程序在 docker 里运行映射到宿主机的 8002 端口。 可以通过宿主机的 公网 IP:8002 正常访问到程序
netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 843/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 939/master
tcp 0 0 0.0.0.0:8002 0.0.0.0:* LISTEN 22206/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 843/sshd
tcp6 0 0 ::1:25 :::* LISTEN 939/master
tcp6 0 0 :::8002 :::* LISTEN 22210/docker-proxy
防火墙是开启状态
# firewall-cmd --state
running
开放的规则里没有发现 8002 端口,但 WEB 程序的确可以访问
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --list-all --zone=docker
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: docker0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --get-active-zones
docker
interfaces: docker0
public
interfaces: eth0
两个 zone ,docker 和 public 下面的 list ports 都是空的, 很奇怪。 请教是还可以查看哪里,可以看到是放行 8002 端口的? 还是说, 默认放行全部的端口吗?
1
xiaoyanbot OP 刚才试验过了, 如果不是 docker-proxy 映射宿主机的端口, 默认是不通的。 是需要开端口的。
目前疑问就是: 是什么规则,让 docker-proxy 映射的端口,能通过防火墙的? 求教 |
2
Nitroethane 2022-06-09 16:58:32 +08:00 via iPhone
看看 trusted zone 里有没有 docker 创建的虚拟接口。docker 文档里有说 https://docs.docker.com/network/iptables/#integration-with-firewalld
|
3
kokutou 2022-06-09 17:03:15 +08:00
public (active)
target: default docker (active) target: ACCEPT 区别在这里。 default 大致相当于 reject |
4
cslive 2022-06-09 18:01:41 +08:00
docker 自动放行防火墙的,可以看下 iptables
|
5
xiaoyanbot OP @cslive 没有安装 iptables 服务呀, 请问这么看呀?
|
6
m4d3bug 2022-06-09 18:16:07 +08:00 via Android
|
7
xiaoyanbot OP @Nitroethane 请教如何看 trusted zone
|
8
xiaoyanbot OP @cslive
~~~ # iptables -L DOCKER Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:teradataordbms ~~~ 放行的是 172.17.0.2 但是宿主机的 docker ip 是 172.17.0.1 呀 |
9
Nitroethane 2022-06-09 19:50:36 +08:00
@xiaoyanbot #8 firewall-cmd --zone=trusted --list-all
文档里写的清清楚楚,只要你看了就不会再问了: If you are running Docker version 20.10.0 or higher with firewalld on your system with --iptables enabled, Docker automatically creates a firewalld zone called docker and inserts all the network interfaces it creates (for example, docker0) into the docker zone to allow seamless networking. Consider running the following firewalld command to remove the docker interface from the zone. |
10
Nitroethane 2022-06-09 19:51:42 +08:00
@Nitroethane #9 --zone=trusted 应该改成 --zone=docker
|
11
Nitroethane 2022-06-09 19:53:58 +08:00
@Nitroethane #9 不确定 docker 在哪个 zone 的话可以用 firewall-cmd --list-all-zones 命令列出所有的 zone:
public (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: cockpit dhcpv6-client ssh ports: 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 4240/tcp 8472/udp 4244/tcp protocols: forward: no masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
12
7RTDKSAK 2022-06-10 10:13:13 +08:00
docker run 时最好明确指定端口映射是监听在 127.0.0.0 还是 0.0.0.0 ,你不明确指定那 docker 就会帮你指定为 0.0.0.0 ,别省这点儿力气
|
13
xiaoyanbot OP @7RTDKSAK 绑定 127.0.0.1:8002 , 如果需要外网访问的时候, 是不是还得开一个 nginx 之类的做转发?
|
14
7RTDKSAK 2022-06-10 12:33:35 +08:00
|