Debian Buster amd64
両方のコンテナは 192.168.122.2,3 を確認できますが、インターネットにアクセスできません。
どちらのコンテナもホストサーバーとping/相互作用できます。
これがiptablesにあるものです。
# Generated by xtables-save v1.8.2 on Sat Mar 6 17:16:16 2021
*filter
:INPUT ACCEPT [47377:13690982]
:FORWARD ACCEPT [419:628058]
:OUTPUT ACCEPT [24929:4008372]
:POSTROUTING - [0:0]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4430 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.122.2/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 192.168.122.3/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -d 192.168.122.3/32 -p tcp -m tcp --dport 4430 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i enxd03745c9b08e -j ACCEPT
COMMIT
# Completed on Sat Mar 6 17:16:16 2021
# Generated by xtables-save v1.8.2 on Sat Mar 6 17:16:16 2021
*nat
:PREROUTING ACCEPT [2101:142603]
:INPUT ACCEPT [1480:106813]
:POSTROUTING ACCEPT [430:29500]
:OUTPUT ACCEPT [329:23520]
-A PREROUTING -i enxd03745c9b08e -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.2:80
-A PREROUTING -i enxd03745c9b08e -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.2:80
-A PREROUTING -i enxd03745c9b08e -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.122.2:443
-A PREROUTING -i enxd03745c9b08e -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.122.3:8080
-A PREROUTING -i enxd03745c9b08e -p tcp -m tcp --dport 4430 -j DNAT --to-destination 192.168.122.3:4430
COMMIT
# Completed on Sat Mar 6 17:16:16 2021
# Generated by xtables-save v1.8.2 on Sat Mar 6 17:16:16 2021
*mangle
:PREROUTING ACCEPT [49751:14725298]
:INPUT ACCEPT [47442:13695764]
:FORWARD ACCEPT [1555:987308]
:OUTPUT ACCEPT [24929:4008372]
:POSTROUTING ACCEPT [26484:4995680]
COMMIT
# Completed on Sat Mar 6 17:16:16 2021
答え1
解決策が見つかりました。 https://discuss.linuxcontainers.org/t/internet-access-issue-inside-container/5258
iptables-legacyを使用し、次のことを実行する必要がありました。
/sbin/iptables-legacy -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
/sbin/iptables-legacy -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
/sbin/iptables-legacy -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE