私のDOCKERコンテナにLAMPイメージを使用しており、Apache access.logでは、すべてのリクエストは同じIPアドレス(172.17.0.1)から来ています。ブリッジIPです。私の質問は:SynologyからDockerコンテナにIPを転送できますか?それともここで何かが間違っていて、コンテナ/ Synology設定に何かが欠けていますか?
iptablesに関する@SYNの提案に基づいて、誰かがどのルールを変更し、何を変更する必要があるかを教えてもらえますか?
Synology(Dockerホスト)の私のNATルールは次のとおりです。
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DEFAULT_OUTPUT
-N DEFAULT_POSTROUTING
-N DEFAULT_PREROUTING
-N DOCKER
-A PREROUTING -j DEFAULT_PREROUTING
-A OUTPUT -j DEFAULT_OUTPUT
-A POSTROUTING -j DEFAULT_POSTROUTING
-A DEFAULT_OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
-A DEFAULT_POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A DEFAULT_POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DEFAULT_POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
-A DEFAULT_PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -p tcp -m tcp --dport 40001 -j DNAT --to-destination 172.17.0.2:3306
-A DOCKER -p tcp -m tcp --dport 40000 -j DNAT --to-destination 172.17.0.2:80
基本表は次のとおりです。
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DEFAULT_FORWARD
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DEFAULT_FORWARD
-A DEFAULT_FORWARD -j DOCKER-USER
-A DEFAULT_FORWARD -j DOCKER-ISOLATION-STAGE-1
-A DEFAULT_FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DEFAULT_FORWARD -o docker0 -j DOCKER
-A DEFAULT_FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A DEFAULT_FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
詳細出力:
admin@SynologyCluster:/$ sudo iptables -vL
Chain INPUT (policy ACCEPT 2954K packets, 2329M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DEFAULT_FORWARD all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 2741K packets, 16G bytes)
pkts bytes target prot opt in out source destination
Chain DEFAULT_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- any any anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:mysql
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere
admin@SynologyCluster:/$ sudo iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 10733 packets, 1338K bytes)
pkts bytes target prot opt in out source destination
342K 36M DEFAULT_PREROUTING all -- any any anywhere anywhere
Chain INPUT (policy ACCEPT 10702 packets, 1334K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8937 packets, 554K bytes)
pkts bytes target prot opt in out source destination
36669 2325K DEFAULT_OUTPUT all -- any any anywhere anywhere
Chain POSTROUTING (policy ACCEPT 8937 packets, 554K bytes)
pkts bytes target prot opt in out source destination
26637 1655K DEFAULT_POSTROUTING all -- any any anywhere anywhere
Chain DEFAULT_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
19352 1183K DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain DEFAULT_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:mysql
7 420 MASQUERADE all -- any docker0 anywhere anywhere ADDRTYPE match src-type LOCAL
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:http
Chain DEFAULT_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
234K 15M DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:40001 to:172.17.0.2:3306
12 720 DNAT tcp -- any any anywhere anywhere tcp dpt:40000 to:172.17.0.2:80
私が理解したのは、このNATルールを変更することです。
-A DEFAULT_POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
私の考えは正しいですか?まだ確かではないし、これを台無しにしたくない。
答え1
これがあなたの場合に当てはまるかどうかはわかりませんが、クライアントIPを見るPi-holeで動作しました(言及どおり)。ここ):
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
これは永続的ではないため、NASを再起動すると再適用する必要があります。