我对firewalld感到有点困惑,我试图通过使用docker-compose来强制容器仅在localhost上监听来保护docker容器:
docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------
srv_postgres-srv_1 /docker-entrypoint.sh postgres Up 127.0.0.1:5432->5432/tcp
services:
postgres-srv:
image: postgres:9.5.5
volumes:
- postgres-srv_volume:/var/lib/postgresql/data
ports:
- "127.0.0.1:5432:5432"
volumes:
postgres-srv_volume:
但是当我尝试使用firewalld将外部流量转发给它时,连接被拒绝。 到目前为止我的firewalld配置:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: yes
forward-ports: port=5432:proto=tcp:toport=5432:toaddr=127.0.0.1
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.1/32" port port="5432" protocol="tcp" accept
请问我做错了什么?
答案 0 :(得分:-1)
我不确定这是绝对正确的事情,但是为了移植到容器,感谢这里的信息:Assign Static IP to Docker Container, 我做了以下事情:
我强制容器有一个静态地址(强制它在localhost上监听连接现在似乎是多余的),通过在docker-compose文件中设置它们:
version: '2'
services:
postgres-srv:
image: postgres:9.5.5
volumes:
- postgres-srv_volume:/var/lib/postgresql/data
networks:
static-network:
ipv4_address: 172.18.0.2
ports:
- "127.0.0.1:5432:5432"
volumes:
postgres-srv_volume:
networks:
static-network:
ipam:
config:
- subnet: 172.18.0.0/16
ip_range: 172.18.0.0/16
2然后我在firewalld中进行了端口转发:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.0.1/24" forward-port port="5432" protocol="tcp" to-port="5432" to-addr="172.18.0.2"
现在我仍然无法让容器从外部侦听localhost,但我可以移植到静态容器IP。 请告诉我这是否正确。