docker-如果不在本地主机代理上,则撰写端口转发不工作->vpn
docker-compose ports forwarding not working if not on localhost proxy->vpn
我真的无法理解为什么在同一台主机上一切正常,但端口在主机外被过滤(即使在同一台主机上的虚拟机上,但处于桥接模式)
services:
vpn:
build: ./openvpn
# cap_add, security_opt, and volume required for the image to function
cap_add:
- net_admin
environment:
OPENVPN_USERNAME: 'XXXXXX'
OPENVPN_PASSWORD: 'XXXXXXXX'
OPENVPN_PROVIDER: 'XXXXXXXXXXX'
OPENVPN_CONFIG: 'Amsterdam'
SQUID_EXT_PORT: "3001"
networks:
- dockerproxy
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
read_only: true
tmpfs:
- /run
- /tmp
restart: unless-stopped
security_opt:
- label:disable
stdin_open: true
tty: true
ports:
- "0.0.0.0:${SQUID_EXT_PORT:-3001}:3128"
volumes:
- /dev/net:/dev/net:z
- /config
squid:
build: ./squid
environment:
SQUID_VERSION: '3.5.27'
SQUID_CACHE_DIR: '/squid/var/cache/squid'
SQUID_LOG_DIR: '/var/log/squid'
SQUID_USER: 'proxy'
tty: true
network_mode: service:vpn
volumes:
- /srv/docker/squid/cache:/squid/var/cache/squid
restart: unless-stopped
networks:
dockerproxy:
external:
name: dockerproxy
我已检查端口是否打开
netstat -tulpn | grep 3001
tcp6 0 0 :::3001 :::* LISTEN -
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cba39f7e94dc amsterdam_squid "/sbin/entrypoint.sh" 9 minutes ago Up 9 minutes amsterdam_squid_1
2856f2bb2b7c amsterdam_vpn "/usr/local/bin/open…" 9 minutes ago Up 9 minutes (healthy) 0.0.0.0:3001->3128/tcp amsterdam_vpn_1
我怀疑它可能是一个 docker 守护程序 iptables 配置,我没有更改它,因为我对它们不是很有信心。
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain /* managed by anbox-bridge */
ACCEPT udp -- anywhere anywhere udp dpt:domain /* managed by anbox-bridge */
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps /* managed by anbox-bridge */
ACCEPT udp -- anywhere anywhere udp dpt:bootps /* managed by anbox-bridge */
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere /* managed by anbox-bridge */
ACCEPT all -- anywhere anywhere /* managed by anbox-bridge */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.28.0.2 tcp dpt:3128
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
有没有比我更有能力的人找到我可以在同一主机上代理的原因:
nmap localhost -p 3001
Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-10 17:06 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00023s latency).
PORT STATE SERVICE
3001/tcp open nessus
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
但不能来自其他主机
map 192.168.1.14 -p 3001
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-10 10:54 EST
Nmap scan report for 192.168.1.14
Host is up (0.00076s latency).
PORT STATE SERVICE
3001/tcp filtered nessus
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
我以前没有注意到这种行为,而且我一直能够在同一台机器上访问我的所有 docker 服务,除了这个 proxy-vpn 服务。
问题是 VPN 容器并不真正了解它所在的网络。
换句话说,为了让这个工作你必须在 VPN 容器中添加一个路由(因为它单独将用于网络感谢 network_mode: service:vpn 指令)到发送回复数据包的地方(通常是 Docker 主机网关)。否则,您的数据包将被丢弃,通常会出现 nmap filtered 状态。奇怪的是,数据包甚至不会到达您的 squid 服务器,因此不会有来自该部分的日志。这让我离开了很长一段时间,但实际上数据包没有到达鱿鱼服务器这一事实正在发生,所以我想我是唯一被误导的人。
添加允许您的数据包返回的路由的有效方法是:
/sbin/ip r a "${localNet}" via "${GW}" dev "${INT}"
我从很棒的 Docker 应用程序中获取的
https://github.com/haugene/docker-transmission-openvpn
您可以在上面的脚本行中找到变量的含义。
我真的无法理解为什么在同一台主机上一切正常,但端口在主机外被过滤(即使在同一台主机上的虚拟机上,但处于桥接模式)
services:
vpn:
build: ./openvpn
# cap_add, security_opt, and volume required for the image to function
cap_add:
- net_admin
environment:
OPENVPN_USERNAME: 'XXXXXX'
OPENVPN_PASSWORD: 'XXXXXXXX'
OPENVPN_PROVIDER: 'XXXXXXXXXXX'
OPENVPN_CONFIG: 'Amsterdam'
SQUID_EXT_PORT: "3001"
networks:
- dockerproxy
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
read_only: true
tmpfs:
- /run
- /tmp
restart: unless-stopped
security_opt:
- label:disable
stdin_open: true
tty: true
ports:
- "0.0.0.0:${SQUID_EXT_PORT:-3001}:3128"
volumes:
- /dev/net:/dev/net:z
- /config
squid:
build: ./squid
environment:
SQUID_VERSION: '3.5.27'
SQUID_CACHE_DIR: '/squid/var/cache/squid'
SQUID_LOG_DIR: '/var/log/squid'
SQUID_USER: 'proxy'
tty: true
network_mode: service:vpn
volumes:
- /srv/docker/squid/cache:/squid/var/cache/squid
restart: unless-stopped
networks:
dockerproxy:
external:
name: dockerproxy
我已检查端口是否打开
netstat -tulpn | grep 3001
tcp6 0 0 :::3001 :::* LISTEN -
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cba39f7e94dc amsterdam_squid "/sbin/entrypoint.sh" 9 minutes ago Up 9 minutes amsterdam_squid_1
2856f2bb2b7c amsterdam_vpn "/usr/local/bin/open…" 9 minutes ago Up 9 minutes (healthy) 0.0.0.0:3001->3128/tcp amsterdam_vpn_1
我怀疑它可能是一个 docker 守护程序 iptables 配置,我没有更改它,因为我对它们不是很有信心。
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain /* managed by anbox-bridge */
ACCEPT udp -- anywhere anywhere udp dpt:domain /* managed by anbox-bridge */
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps /* managed by anbox-bridge */
ACCEPT udp -- anywhere anywhere udp dpt:bootps /* managed by anbox-bridge */
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere /* managed by anbox-bridge */
ACCEPT all -- anywhere anywhere /* managed by anbox-bridge */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.28.0.2 tcp dpt:3128
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
有没有比我更有能力的人找到我可以在同一主机上代理的原因:
nmap localhost -p 3001
Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-10 17:06 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00023s latency).
PORT STATE SERVICE
3001/tcp open nessus
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
但不能来自其他主机
map 192.168.1.14 -p 3001
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-10 10:54 EST
Nmap scan report for 192.168.1.14
Host is up (0.00076s latency).
PORT STATE SERVICE
3001/tcp filtered nessus
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
我以前没有注意到这种行为,而且我一直能够在同一台机器上访问我的所有 docker 服务,除了这个 proxy-vpn 服务。
问题是 VPN 容器并不真正了解它所在的网络。
换句话说,为了让这个工作你必须在 VPN 容器中添加一个路由(因为它单独将用于网络感谢 network_mode: service:vpn 指令)到发送回复数据包的地方(通常是 Docker 主机网关)。否则,您的数据包将被丢弃,通常会出现 nmap filtered 状态。奇怪的是,数据包甚至不会到达您的 squid 服务器,因此不会有来自该部分的日志。这让我离开了很长一段时间,但实际上数据包没有到达鱿鱼服务器这一事实正在发生,所以我想我是唯一被误导的人。
添加允许您的数据包返回的路由的有效方法是:
/sbin/ip r a "${localNet}" via "${GW}" dev "${INT}"
我从很棒的 Docker 应用程序中获取的 https://github.com/haugene/docker-transmission-openvpn 您可以在上面的脚本行中找到变量的含义。