我通过此Dockerfile:
构建了一个泊坞窗图片#
# Dockerfile for pptpd
#
FROM debian:jessie
MAINTAINER kev<noreply@datageek.info>
RUN apt-get update \
&& apt-get install -y iptables pptpd \
&& rm -rf /var/lib/apt/lists/*
COPY pptpd.conf /etc/
COPY chap-secrets /etc/ppp/
COPY pptpd-options /etc/ppp/
EXPOSE 1723
CMD iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE \
&& pptpd --fg
重启前$ docker pull vimagick/pptpd
$ docker run -d --name pptpd_pptpd_1 -p 1723:1723 --privileged vimagick/pptpd
$ tcpdump -ni eth0 proto gre
13:21:16.877858 IP 1.2.3.4 > 5.6.7.8: GREv1, call 16501, seq 0, length 40: LCP, Conf-Request (0x01), id 1, length 26
13:21:16.944894 IP 5.6.7.8 > 1.2.3.4: GREv1, call 512, seq 0, length 40: LCP, Conf-Request (0x01), id 1, length 26
13:21:16.945002 IP 1.2.3.4 > 5.6.7.8: GREv1, call 16501, seq 1, ack 0, length 44: LCP, Conf-Ack (0x02), id 1, length 26
13:21:16.945932 IP 5.6.7.8 > 1.2.3.4: GREv1, call 512, seq 1, length 25: LCP, Conf-Nack (0x03), id 1, length 11
13:21:16.946006 IP 1.2.3.4 > 5.6.7.8: GREv1, call 16501, seq 2, ack 1, length 45: LCP, Conf-Request (0x01), id 2, length 27
13:21:16.984018 IP 5.6.7.8 > 1.2.3.4: GREv1, call 512, seq 2, length 41: LCP, Conf-Ack (0x02), id 2, length 27
13:21:16.984224 IP 1.2.3.4 > 5.6.7.8: GREv1, call 16501, seq 3, ack 2, length 26: LCP, Echo-Request (0x09), id 0, length 10
重启后$ docker restart pptpd_pptpd_1
$ tcpdump -ni eth0 proto gre
13:31:32.071308 IP 5.6.7.8 > 1.2.3.4: GREv1, call 256, seq 0, length 40: LCP, Conf-Request (0x01), id 1, length 26
13:31:35.123217 IP 5.6.7.8 > 1.2.3.4: GREv1, call 256, seq 1, length 40: LCP, Conf-Request (0x01), id 1, length 26
13:31:40.112179 IP 5.6.7.8 > 1.2.3.4: GREv1, call 256, seq 2, length 40: LCP, Conf-Request (0x01), id 1, length 26
13:31:41.111172 IP 5.6.7.8 > 1.2.3.4: GREv1, call 256, seq 3, length 40: LCP, Conf-Request (0x01), id 1, length 26
我注意到重启后容器的IP改变了(192.168.42.2 - > 192.168.42.3)。
我启用/禁用防火墙,结果是一样的
我是否需要iptables规则才能让它再次运行?谢谢!
更新:我可以附加--net host
选项来解决此问题。
答案 0 :(得分:1)
当我编辑/etc/default/ufw
时,它会给我一些提示:
# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
在我运行以下命令后,每件事情都恢复正常。
modprobe nf_conntrack_pptp nf_nat_pptp