如,使用 docker run -p 5230:80 nginx在 8080端口创建好一个服务,
不一定是nginx,其他的也是一样
不一定是5230端口,其他的也是一样
使用ssh登录成功后
- 使用容器的ip地址如
curl -v http://172.18.0.2:5230可以访问成功
- 使用127.0.0.1/localhost,如
curl -v http://127.0.0.1:5230可以访问成功
- 使用局域网ip地址如
curl -v http://192.168.30.4:5230无法访问成功日志如下
* Trying 192.168.30.4:5230...
* connect to 192.168.30.4 port 5230 failed: Connection timed out
* Failed to connect to 192.168.30.4 port 5230 after 134156 ms: Couldn't connect to server
* Closing connection 0
curl: (28) Failed to connect to 192.168.30.4 port 5230 after 134156 ms: Couldn't connect to server
重点来了
从局域网其他机器,使用 curl -v http://192.168.30.4:5230访问,可以访问成功
但是,不是docker的服务端口就正常,如,自身的 5666端口,在ssh登录成功后
- 使用127.0.0.1/localhost,如
curl -v http://127.0.0.1:5666可以访问成功
- 使用局域网ip地址如
curl -v http://192.168.30.4:5666可以访问成功
这是执行 sudo nft list ruleset的结果,不知道是不是这里的问题,
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "br-cae10fc9a1d9" counter packets 0 bytes 0 return
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-9a26092467ca" counter packets 0 bytes 0 return
iifname != "br-cae10fc9a1d9" tcp dport 5230 counter packets 13 bytes 732 dnat to 172.18.0.2:5230
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 943 bytes 64394 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 92 bytes 12032 jump DOCKER
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "br-cae10fc9a1d9" ip saddr 172.18.0.0/16 counter packets 2 bytes 120 masquerade
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
oifname != "br-9a26092467ca" ip saddr 172.23.0.0/16 counter packets 0 bytes 0 masquerade
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
iifname != "br-cae10fc9a1d9" oifname "br-cae10fc9a1d9" ip daddr 172.18.0.2 tcp dport 5230 counter packets 6 bytes 312 accept
iifname != "br-9a26092467ca" oifname "br-9a26092467ca" counter packets 0 bytes 0 drop
iifname != "docker0" oifname "docker0" counter packets 0 bytes 0 drop
iifname != "br-cae10fc9a1d9" oifname "br-cae10fc9a1d9" counter packets 0 bytes 0 drop
}
chain DOCKER-FORWARD {
counter packets 28327 bytes 6361079 jump DOCKER-CT
counter packets 14508 bytes 5289049 jump DOCKER-ISOLATION-STAGE-1
counter packets 14508 bytes 5289049 jump DOCKER-BRIDGE
iifname "br-9a26092467ca" counter packets 0 bytes 0 accept
iifname "docker0" counter packets 33 bytes 3567 accept
iifname "br-cae10fc9a1d9" counter packets 1277 bytes 3984219 accept
}
chain DOCKER-BRIDGE {
oifname "br-9a26092467ca" counter packets 0 bytes 0 jump DOCKER
oifname "docker0" counter packets 6 bytes 312 jump DOCKER
oifname "br-cae10fc9a1d9" counter packets 6 bytes 312 jump DOCKER
}
chain DOCKER-CT {
oifname "br-9a26092467ca" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" ct state related,established counter packets 34 bytes 5209 accept
oifname "br-cae10fc9a1d9" ct state related,established counter packets 1706 bytes 103706 accept
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "br-9a26092467ca" oifname != "br-9a26092467ca" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
iifname "docker0" oifname != "docker0" counter packets 33 bytes 3567 jump DOCKER-ISOLATION-STAGE-2
iifname "br-cae10fc9a1d9" oifname != "br-cae10fc9a1d9" counter packets 1277 bytes 3984219 jump DOCKER-ISOLATION-STAGE-2
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "br-cae10fc9a1d9" counter packets 0 bytes 0 drop
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-9a26092467ca" counter packets 0 bytes 0 drop
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 28326 bytes 6360750 jump DOCKER-USER
counter packets 28327 bytes 6361079 jump DOCKER-FORWARD
}
chain DOCKER-USER {
}
}
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
table ip6 nat {
chain DOCKER {
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
table ip6 filter {
chain DOCKER {
}
chain DOCKER-FORWARD {
counter packets 0 bytes 0 jump DOCKER-CT
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
counter packets 0 bytes 0 jump DOCKER-BRIDGE
}
chain DOCKER-BRIDGE {
}
chain DOCKER-CT {
}
chain DOCKER-ISOLATION-STAGE-1 {
}
chain DOCKER-ISOLATION-STAGE-2 {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-FORWARD
}
chain DOCKER-USER {
}
}
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
iifname != "br-cae10fc9a1d9" ip daddr 172.18.0.2 counter packets 0 bytes 0 drop
}
}
这是ifconfig的输出结果
br-cae10fc9a1d9: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet6 fe80::600e:ebff:fea5:cd7e prefixlen 64 scopeid 0x20<link>
ether 62:0e:eb:a5:cd:7e txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::24cd:a7ff:feca:4e2d prefixlen 64 scopeid 0x20<link>
ether 26:cd:a7:ca:4e:2d txqueuelen 0 (Ethernet)
RX packets 58 bytes 5308 (5.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 70 bytes 8483 (8.2 KiB)
TX errors 0 dropped 96 overruns 0 carrier 0 collisions 0
enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether b0:41:6f:08:97:34 txqueuelen 1000 (Ethernet)
RX packets 234037 bytes 171351436 (163.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1155208 bytes 1642686001 (1.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 133 base 0xd000
enp1s0-ovs: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.30.4 netmask 255.255.255.0 broadcast 192.168.30.255
inet6 fe80::6de0:26db:e465:1f4c prefixlen 64 scopeid 0x20<link>
ether b0:41:6f:08:97:34 txqueuelen 1000 (Ethernet)
RX packets 152178 bytes 163544990 (155.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 104851 bytes 1573561927 (1.4 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 53048 bytes 32687334 (31.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 53048 bytes 32687334 (31.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth010ceec: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::94cc:58ff:fe63:c1c2 prefixlen 64 scopeid 0x20<link>
ether 96:cc:58:63:c1:c2 txqueuelen 0 (Ethernet)
RX packets 1467 bytes 4021177 (3.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2004 bytes 156044 (152.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
也不知道要什么别的信息,需要其他信息可以让我继续提供
