Question

经过几个小时的搜索和尝试解决方案，我结束了。

当我在Centos7机器上启动Docker容器时，会发生这种情况：

无法通过TCP进行通信（例如，运行apt update）。 ping工作正常。
将网络模式切换为--net=host可解决此问题，但我想使用默认的bridge
我将net.ipv4.ip_forward=1添加到/etc/sysctl.conf
容器已在通过docker network inspect bridge
DNS配置正确，ping主机名和地址一样。

更多信息

正在运行apt update会显示以下消息：

Ign http://security.debian.org jessie/updates InRelease
Err http://security.debian.org jessie/updates Release.gpg
  Unable to connect to security.debian.org:http: [IP: 212.211.132.32 80]

iptables配置：

$ iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
           tcp  --  anywhere             anywhere             tcp dpt:http /* HTTP-IN */
           tcp  --  anywhere             anywhere             tcp dpt:http flags:FIN,SYN,RST,ACK/SYN /* HTTP-SYN */
           tcp  --  anywhere             anywhere             tcp dpt:https /* HTTPS-IN */
           tcp  --  anywhere             anywhere             tcp dpt:https flags:FIN,SYN,RST,ACK/SYN /* HTTPS-SYN */
ACCEPT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh match-set avast_internal src
ACCEPT     udp  --  anywhere             anywhere             udp dpt:snmp match-set avast_internal src
ACCEPT     tcp  --  anywhere             anywhere             tcp match-set avast_internal src

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
           tcp  --  anywhere             anywhere             tcp spt:http /* HTTP-OUT */
           tcp  --  anywhere             anywhere             tcp spt:https /* HTTPS-OUT */

Chain DOCKER (2 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

这可能是什么原因？

修改：

使用这些命令打开防火墙后，我可以从docker容器连接到Internet：

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X

但是，在重置规则以找出确切导致问题的原因之后，即使清除所有iptables规则并重新启动docker守护程序，我也无法将其恢复到工作状态。

编辑2：

事实证明raw表中也有一些规则，我之前没有看到过。以下规则阻止了来自互联网的Docker容器：

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

CT         tcp  --  anywhere             anywhere             NOTRACK

Answer 1

正如你所说

Ign http://security.debian.org jessie/updates InRelease
Err http://security.debian.org jessie/updates Release.gpg
  Unable to connect to security.debian.org:http: [IP: 212.211.132.32 80]

当 DNS没有为Docker容器配置时出现这种问题。[在我的环境中也存在类似的问题]。

以下过程将有助于解决使用DOCKER容器时的DNS问题。

第一步是检查容器的外部连接：

# docker run busybox ping -c 2 192.203.230.10
PING 192.203.230.10 (192.203.230.10): 56 data bytes
64 bytes from 192.203.230.10: seq=0 ttl=56 time=66.724 ms
64 bytes from 192.203.230.10: seq=1 ttl=56 time=54.786 ms

当您尝试使用容器ping google.com时，由于DNS问题而无法访问该容器。

# docker run busybox nslookup google.com
Server:    8.8.8.8
Address 1: 8.8.8.8
nslookup: can't resolve 'google.com'

找出您机器中使用的DNS服务器：

# nm-tool  |grep DNS
    DNS:             172.24.100.50
    DNS:             10.1.100.50

使用解决DNS问题的上述步骤中的DNS IP再次运行它：

# docker run --dns 172.24.100.50 busybox nslookup google.com
Server:    172.24.100.50
Address 1: 172.24.100.50 indc01.radisys.com
Name:      google.com
Address 1: 2607:f8b0:4009:80c::200e ord36s01-in-x0e.1e100.net
Address 2: 172.217.4.110 ord36s04-in-f14.1e100.net

要解决此问题，请将以下内容永久添加到新文件中：

# cat /etc/docker/daemon.json
{
    "dns" : ["172.24.100.50", "8.8.8.8"]
}

有关Docker DNS配置的更多信息：https://docs.docker.com/engine/userguide/networking/configure-dns/

重新启动docker服务并再次检查连接：

# docker run busybox nslookup google.com
Server:    172.24.100.50
Address 1: 172.24.100.50 indc01.radisys.com
Name:      google.com
Address 1: 2607:f8b0:4009:801::200e ord30s31-in-x0e.1e100.net
Address 2: 172.217.4.238 ord30s31-in-f14.1e100.net

通过运行另一个容器来检查它：

# docker run -it e02e811dd08f
/ # ping google.com
PING google.com (172.217.4.238): 56 data bytes
64 bytes from 172.217.4.238: seq=0 ttl=47 time=251.506 ms
64 bytes from 172.217.4.238: seq=1 ttl=47 time=245.621 ms

Answer 2

事实证明QAbstractScrollArea表中也有一些规则，我之前没有看到过。以下规则阻止了来自互联网的Docker容器：

raw

删除此规则可解决问题。

Docker容器无法访问Internet，只有ping工作

2 个答案: