我想让一个服务跨两个容器运行(一个VPN,另一个,Web服务),以将第二个容器的端口公开到本地以太网。但是,似乎访问Web服务的唯一方法是通过localhost或Docker(172.19.0.2)创建的专用网络。即使在主机本身上运行浏览器也不会接受其以太网IP(例如,EG 10.0.0.5:8112 BAD !,但是localhost:8112或172.19.0.2:8112 GOOD!)。我试图弄清楚为什么以太网地址没有得到任何爱。这是我的IP表的输出(作为预防措施,未安装UFW):
*mangle
:PREROUTING ACCEPT [2109:567018]
:INPUT ACCEPT [2038:553438]
:FORWARD ACCEPT [71:13580]
:OUTPUT ACCEPT [1765:394606]
:POSTROUTING ACCEPT [1840:409176]
COMMIT
# Completed on Fri May 29 10:29:13 2020
# Generated by iptables-save v1.8.4 on Fri May 29 10:29:13 2020
*filter
:INPUT ACCEPT [1310:455388]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1361:352218]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-b2521616293e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b2521616293e -j DOCKER
-A FORWARD -i br-b2521616293e ! -o br-b2521616293e -j ACCEPT
-A FORWARD -i br-b2521616293e -o br-b2521616293e -j ACCEPT
-A FORWARD -o br-af6f70f1ebad -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-af6f70f1ebad -j DOCKER
-A FORWARD -i br-af6f70f1ebad ! -o br-af6f70f1ebad -j ACCEPT
-A FORWARD -i br-af6f70f1ebad -o br-af6f70f1ebad -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-b2521616293e -o br-b2521616293e -p tcp -m tcp --dport 8112 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-b2521616293e ! -o br-b2521616293e -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-af6f70f1ebad ! -o br-af6f70f1ebad -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b2521616293e -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-af6f70f1ebad -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri May 29 10:29:13 2020
# Generated by iptables-save v1.8.4 on Fri May 29 10:29:13 2020
*nat
:PREROUTING ACCEPT [34:3101]
:INPUT ACCEPT [7:1326]
:OUTPUT ACCEPT [192:12759]
:POSTROUTING ACCEPT [192:12759]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-b2521616293e -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-af6f70f1ebad -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 8112 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-b2521616293e -j RETURN
-A DOCKER -i br-af6f70f1ebad -j RETURN
-A DOCKER ! -i br-b2521616293e -p tcp -m tcp --dport 8112 -j DNAT --to-destination 172.19.0.2:8112
COMMIT
下面是我的docker ps -a命令的输出。
d06f04c174a2 linuxserver/deluge "/init" 2 weeks ago Up 2 minutes deluge
bb51c6f78a04 itsdaspecialk/pia-openvpn "openvpn.sh --auth-u…" 2 weeks ago Up 2 minutes 0.0.0.0:8112->8112/tcp pia-vpn
这是整个设置的docker-compose.yml
---
version: "2.1"
services:
pia-vpn:
container_name: pia-vpn
image: itsdaspecialk/pia-openvpn
restart: always
cap_add:
- net_admin
dns:
- 209.222.18.222
- 209.222.18.218
ports:
- 8112:8112
volumes:
- /home/poseter/pia-vpn/auth:/auth
environment:
REGION: "US East"
command: ["--auth-user-pass", "/auth/auth.conf"]
deluge:
image: linuxserver/deluge
container_name: deluge
depends_on:
- pia-vpn
network_mode: "service:pia-vpn"
environment:
- PUID=1000
- PGID=1000
- TZ=timezone
- UMASK_SET=022 #optional
- DELUGE_LOGLEVEL=error #optional
volumes:
- /home/poster/deluge/config:/config
- /home/poster/deluge/downloads:/downloads
restart: unless-stopped
我在想这是因为配置使用户定义的网桥与其他网络隔离。欢迎任何建议或见识。