Apacheブリッジコンテナを使用したDocker IP転送

Apacheブリッジコンテナを使用したDocker IP転送

私のDOCKERコンテナにLAMPイメージを使用しており、Apache access.logでは、すべてのリクエストは同じIPアドレス(172.17.0.1)から来ています。ブリッジIPです。私の質問は:SynologyからDockerコンテナにIPを転送できますか?それともここで何かが間違っていて、コンテナ/ Synology設定に何かが欠けていますか?

iptablesに関する@SYNの提案に基づいて、誰かがどのルールを変更し、何を変更する必要があるかを教えてもらえますか?

Synology(Dockerホスト)の私のNATルールは次のとおりです。

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DEFAULT_OUTPUT
-N DEFAULT_POSTROUTING
-N DEFAULT_PREROUTING
-N DOCKER
-A PREROUTING -j DEFAULT_PREROUTING
-A OUTPUT -j DEFAULT_OUTPUT
-A POSTROUTING -j DEFAULT_POSTROUTING
-A DEFAULT_OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
-A DEFAULT_POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A DEFAULT_POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DEFAULT_POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
-A DEFAULT_PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -p tcp -m tcp --dport 40001 -j DNAT --to-destination 172.17.0.2:3306
-A DOCKER -p tcp -m tcp --dport 40000 -j DNAT --to-destination 172.17.0.2:80

基本表は次のとおりです。

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DEFAULT_FORWARD
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DEFAULT_FORWARD
-A DEFAULT_FORWARD -j DOCKER-USER
-A DEFAULT_FORWARD -j DOCKER-ISOLATION-STAGE-1
-A DEFAULT_FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DEFAULT_FORWARD -o docker0 -j DOCKER
-A DEFAULT_FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A DEFAULT_FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

詳細出力:

admin@SynologyCluster:/$ sudo iptables -vL
Chain INPUT (policy ACCEPT 2954K packets, 2329M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DEFAULT_FORWARD  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 2741K packets, 16G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DEFAULT_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-USER  all  --  any    any     anywhere             anywhere
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.2           tcp dpt:mysql
    0     0 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.2           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere
    0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    docker0  anywhere             anywhere
    0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  any    any     anywhere             anywhere
admin@SynologyCluster:/$ sudo iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 10733 packets, 1338K bytes)
 pkts bytes target     prot opt in     out     source               destination
 342K   36M DEFAULT_PREROUTING  all  --  any    any     anywhere             anywhere

Chain INPUT (policy ACCEPT 10702 packets, 1334K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 8937 packets, 554K bytes)
 pkts bytes target     prot opt in     out     source               destination
36669 2325K DEFAULT_OUTPUT  all  --  any    any     anywhere             anywhere

Chain POSTROUTING (policy ACCEPT 8937 packets, 554K bytes)
 pkts bytes target     prot opt in     out     source               destination
26637 1655K DEFAULT_POSTROUTING  all  --  any    any     anywhere             anywhere

Chain DEFAULT_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
19352 1183K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain DEFAULT_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  tcp  --  any    any     172.17.0.2           172.17.0.2           tcp dpt:mysql
    7   420 MASQUERADE  all  --  any    docker0  anywhere             anywhere             ADDRTYPE match src-type LOCAL
    0     0 MASQUERADE  tcp  --  any    any     172.17.0.2           172.17.0.2           tcp dpt:http

Chain DEFAULT_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
 234K   15M DOCKER     all  --  any    any     anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:40001 to:172.17.0.2:3306
   12   720 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:40000 to:172.17.0.2:80

私が理解したのは、このNATルールを変更することです。

-A DEFAULT_POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE

私の考えは正しいですか?まだ確かではないし、これを台無しにしたくない。

答え1

これがあなたの場合に当てはまるかどうかはわかりませんが、クライアントIPを見るPi-holeで動作しました(言及どおり)。ここ):

sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

これは永続的ではないため、NASを再起動すると再適用する必要があります。

関連情報