Question

我正在尝试从ubuntu容器更新软件包；但是，更新失败，并且我注意到我无法在任何地方连接，能够查找所认为的dns名称。

我正在使用nicolaka / netshoot容器来测试网络。

我使用“ tcpdump”命令来跟踪与发送的消息有关的任何错误，并且使用ping从容器进行测试会导致以下错误“ ICMP时间超过传输中”。

主机界面中的tcpdump：

16:18:25.257270 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 3, length 64
16:18:25.257314 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92
16:18:26.237575 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 4, length 64
16:18:26.286692 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 4, length 64
16:18:26.286757 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92
16:18:27.261770 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 5, length 64
16:18:27.302193 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 5, length 64
16:18:27.302241 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92
16:18:28.285631 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 6, length 64
16:18:28.329531 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 6, length 64
16:18:28.329596 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92
16:18:29.309767 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 7, length 64
16:18:29.353202 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 7, length 64
16:18:29.353272 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92

我也不确定我的iptables是否与docker容器获得互联网连接的预期一致。

iptables -L：

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Answer 1

在容器中ping 8.8.8.8有什么结果？还是当您要运行容器时您的建议是什么？

Answer 2

我将结束这个问题，因为我发现问题出在我的ISP上，该问题是通过使用双NAT（ISP NAT + Docker NAT）阻止了我的容器的连接。

容器无法连接到互联网

2 个答案: