今夕同学 2021-07-17 17:01 采纳率: 0%
浏览 23

docker IP透传

A机器访问B机器,B机器通过隧道访问C机器,C机器的docker拿不到用户真实ip。docker的Iptables规则如下


-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-9c51fda51c87 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-9c51fda51c87 -j DOCKER
-A FORWARD -i br-9c51fda51c87 ! -o br-9c51fda51c87 -j ACCEPT
-A FORWARD -i br-9c51fda51c87 -o br-9c51fda51c87 -j ACCEPT
-A FORWARD -o br-29bbb3b8716d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-29bbb3b8716d -j DOCKER
-A FORWARD -i br-29bbb3b8716d ! -o br-29bbb3b8716d -j ACCEPT
-A FORWARD -i br-29bbb3b8716d -o br-29bbb3b8716d -j ACCEPT
-A FORWARD -o br-eda07fd1f448 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-eda07fd1f448 -j DOCKER
-A FORWARD -i br-eda07fd1f448 ! -o br-eda07fd1f448 -j ACCEPT
-A FORWARD -i br-eda07fd1f448 -o br-eda07fd1f448 -j ACCEPT
-A FORWARD -o br-1410336a63f5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1410336a63f5 -j DOCKER
-A FORWARD -i br-1410336a63f5 ! -o br-1410336a63f5 -j ACCEPT
-A FORWARD -i br-1410336a63f5 -o br-1410336a63f5 -j ACCEPT
-A FORWARD -o br-b2f73250984e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b2f73250984e -j DOCKER
-A FORWARD -i br-b2f73250984e ! -o br-b2f73250984e -j ACCEPT
-A FORWARD -i br-b2f73250984e -o br-b2f73250984e -j ACCEPT
-A FORWARD -o br-dfffcbf137b4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-dfffcbf137b4 -j DOCKER
-A FORWARD -i br-dfffcbf137b4 ! -o br-dfffcbf137b4 -j ACCEPT
-A FORWARD -i br-dfffcbf137b4 -o br-dfffcbf137b4 -j ACCEPT
-A FORWARD -o br-87ae85299eea -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-87ae85299eea -j DOCKER
-A FORWARD -i br-87ae85299eea ! -o br-87ae85299eea -j ACCEPT
-A FORWARD -i br-87ae85299eea -o br-87ae85299eea -j ACCEPT
-A FORWARD -o br-c4c07a9bd30d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-c4c07a9bd30d -j DOCKER
-A FORWARD -i br-c4c07a9bd30d ! -o br-c4c07a9bd30d -j ACCEPT
-A FORWARD -i br-c4c07a9bd30d -o br-c4c07a9bd30d -j ACCEPT
-A FORWARD -o br-9b560bd8e8c6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-9b560bd8e8c6 -j DOCKER
-A FORWARD -i br-9b560bd8e8c6 ! -o br-9b560bd8e8c6 -j ACCEPT
-A FORWARD -i br-9b560bd8e8c6 -o br-9b560bd8e8c6 -j ACCEPT
-A FORWARD -o br-9476a986f5ed -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-9476a986f5ed -j DOCKER
-A FORWARD -i br-9476a986f5ed ! -o br-9476a986f5ed -j ACCEPT
-A FORWARD -i br-9476a986f5ed -o br-9476a986f5ed -j ACCEPT
-A FORWARD -o br-cc7a1ba0c01e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-cc7a1ba0c01e -j DOCKER
-A FORWARD -i br-cc7a1ba0c01e ! -o br-cc7a1ba0c01e -j ACCEPT
-A FORWARD -i br-cc7a1ba0c01e -o br-cc7a1ba0c01e -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.24.0.2/32 ! -i br-b2f73250984e -o br-b2f73250984e -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER -d 172.22.0.2/32 ! -i br-87ae85299eea -o br-87ae85299eea -p tcp -m tcp --dport 3306 -j ACCEPT

#-A DOCKER -d 192.168.10.2/32 ! -i Tunnel-1 -o br-87ae85299eea -p tcp -m tcp -dport 3306 -j ACCEPT

-A DOCKER -d 172.24.0.4/32 ! -i br-b2f73250984e -o br-b2f73250984e -p tcp -m tcp --dport 4831 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-9c51fda51c87 ! -o br-9c51fda51c87 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-29bbb3b8716d ! -o br-29bbb3b8716d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-eda07fd1f448 ! -o br-eda07fd1f448 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-1410336a63f5 ! -o br-1410336a63f5 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-b2f73250984e ! -o br-b2f73250984e -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-dfffcbf137b4 ! -o br-dfffcbf137b4 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-87ae85299eea ! -o br-87ae85299eea -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-c4c07a9bd30d ! -o br-c4c07a9bd30d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-9b560bd8e8c6 ! -o br-9b560bd8e8c6 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-9476a986f5ed ! -o br-9476a986f5ed -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-cc7a1ba0c01e ! -o br-cc7a1ba0c01e -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-9c51fda51c87 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-29bbb3b8716d -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-eda07fd1f448 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-1410336a63f5 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b2f73250984e -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-dfffcbf137b4 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-87ae85299eea -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-c4c07a9bd30d -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-9b560bd8e8c6 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-9476a986f5ed -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-cc7a1ba0c01e -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Wed Jul 14 17:55:37 2021
# Generated by iptables-save v1.6.1 on Wed Jul 14 17:55:37 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.28.0.0/16 ! -o br-9c51fda51c87 -j MASQUERADE
-A POSTROUTING -s 172.27.0.0/16 ! -o br-29bbb3b8716d -j MASQUERADE
-A POSTROUTING -s 172.26.0.0/16 ! -o br-eda07fd1f448 -j MASQUERADE
-A POSTROUTING -s 172.25.0.0/16 ! -o br-1410336a63f5 -j MASQUERADE
-A POSTROUTING -s 172.24.0.0/16 ! -o br-b2f73250984e -j MASQUERADE
-A POSTROUTING -s 172.23.0.0/16 ! -o br-dfffcbf137b4 -j MASQUERADE
-A POSTROUTING -s 172.22.0.0/16 ! -o br-87ae85299eea -j MASQUERADE
-A POSTROUTING -s 172.21.0.0/16 ! -o br-c4c07a9bd30d -j MASQUERADE
-A POSTROUTING -s 172.20.0.0/16 ! -o br-9b560bd8e8c6 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-9476a986f5ed -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-cc7a1ba0c01e -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.24.0.2/32 -d 172.24.0.2/32 -p tcp -m tcp --dport 9200 -j MASQUERADE
-A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.24.0.4/32 -d 172.24.0.4/32 -p tcp -m tcp --dport 4831 -j MASQUERADE
-A DOCKER -i br-9c51fda51c87 -j RETURN
-A DOCKER -i br-29bbb3b8716d -j RETURN
-A DOCKER -i br-eda07fd1f448 -j RETURN
-A DOCKER -i br-1410336a63f5 -j RETURN
-A DOCKER -i br-b2f73250984e -j RETURN
-A DOCKER -i br-dfffcbf137b4 -j RETURN
-A DOCKER -i br-87ae85299eea -j RETURN
-A DOCKER -i br-c4c07a9bd30d -j RETURN
-A DOCKER -i br-9b560bd8e8c6 -j RETURN
-A DOCKER -i br-9476a986f5ed -j RETURN
-A DOCKER -i br-cc7a1ba0c01e -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i br-b2f73250984e -p tcp -m tcp --dport 64298 -j DNAT --to-destination 172.24.0.2:9200
-A DOCKER ! -i br-87ae85299eea -p tcp -m tcp --dport 3306 -j DNAT --to-destination 172.22.0.2:3306
-A DOCKER ! -i br-87ae85299eea -p tcp -m tcp --dport 3306 -j DNAT --to-destination 172.22.0.2:3306
-A DOCKER ! -i br-b2f73250984e -p tcp -m tcp --dport 4831 -j DNAT --to-destination 172.24.0.4:4831
COMMIT
  • 写回答

1条回答 默认 最新

  • CSDN-Ada助手 CSDN-AI 官方账号 2022-09-07 18:57
    关注
    不知道你这个问题是否已经解决, 如果还没有解决的话:

    如果你已经解决了该问题, 非常希望你能够分享一下解决方案, 以帮助更多的人 ^-^
    评论

报告相同问题?

问题事件

  • 创建了问题 7月17日

悬赏问题

  • ¥15 Stata 面板数据模型选择
  • ¥20 idea运行测试代码报错问题
  • ¥15 网络监控:网络故障告警通知
  • ¥15 django项目运行报编码错误
  • ¥15 请问这个是什么意思?
  • ¥15 STM32驱动继电器
  • ¥15 Windows server update services
  • ¥15 关于#c语言#的问题:我现在在做一个墨水屏设计,2.9英寸的小屏怎么换4.2英寸大屏
  • ¥15 模糊pid与pid仿真结果几乎一样
  • ¥15 java的GUI的运用