我的防火墙阻止从docker容器到外部的网络连接 [英] My firewall is blocking network connections from the docker container to outside

问题描述

对于我来说，这是一个非常标准的设置，我有一个ubuntu机器运行docker和ufw作为我的防火墙。

如果我的防火墙启用docker实例是不能连接到外部

  $ docker run -i -t ubuntu / bin / bash 
警告：Docker检测到本地DNS服务器在resolv.conf。使用默认的外部服务器：[8.8.8.8 8.8.4.4] 
 root @ d300c5f17207：/＃apt-get update 
 Err http://archive.ubuntu.com precise InRelease 
 0％[连接到archive.ubuntu.com] 
 W：无法提取http://archive.ubuntu.com/ubuntu/dists/precise/InRelease 
 W：无法获取http：//archive.ubuntu .com / ubuntu / dists / precise / Release.gpg临时失败解决'archive.ubuntu.com'
 W：某些索引文件无法下载。他们被忽视了，或者旧的被使用了。 
  

这是ufw日志，显示从docker容器阻止的连接。

  $ sudo tail /var/log/ufw.log 
 Jun 30 15:41:56 localhost kernel：[61609.503199] [UFW BLOCK] IN = testbr0 OUT = eth0 PHYSIN = veth8Rj8Nh MAC = fe：ff：ed：42：b0：01：0a：7c：42：7c：a6：72：08：00 SRC = 172.16.42.2 DST = 8.8.8.8 LEN = 64 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 14886 DF PROTO = UDP SPT = 60192 DPT = 53 LEN = 44 
 Jun 30 15:42:01 localhost内核：[61614.500867] [UFW BLOCK] IN = testbr0 OUT = eth0 PHYSIN = veth8Rj8Nh MAC = fe：ff：ed：42：b0：01：0a：7c：42：7c：a6：72：08：00 SRC = 172.16.42.2 DST = 8.8.4.4 LEN = 64 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 16137 DF PROTO = UDP SPT = 44812 DPT = 53 LEN = 44 
 Jun 30 15:42:06 localhost kernel：[61619.498516] [UFW BLOCK] IN = testbr0 OUT = eth0 PHYSIN = veth8Rj8Nh MAC = fe：ff：ed：42：b0：01：0a：7c：42：7c：a6：72：08：00 SRC = 172.16.42.2 DST = 8.8.8.8 LEN = 64 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 14887 DF PROTO = UDP SPT = 60192 DPT = 53 LEN = 44 
  

尝试添加规则使用ip。

  $ sudo ufw allow in from 172.16.42.2 
 $ sudo ufw allow out from 172.16.42.2 
  

没有变化仍然被阻止。

我如何通过ufw规则允许从容器到外部的所有连接？

解决方案

也许这是由于目前的版本，但目前的答案在我的系统（Docker 0.7.2与基本的Ubuntu映像）不起作用。

解决方案在官方Docker文档中解释。

对于惰性的：

• 编辑 / etc / default / ufw 将 DEFAULT_FORWARD_POLICY 的值更改为ACCEPT，


• 重新加载 [sudo] ufw reload 。

这样可以确保您将流量转移到Docker的bridg （我目前对这些事情的了解...）。

For me this is a very standard setup, I had a ubuntu machine running docker and ufw as my firewall.

If my firewall is enable the docker instances is unable to connect to outside

$ docker run -i -t ubuntu /bin/bash
WARNING:  Docker detected local DNS server on resolv.conf. Using default external servers: [8.8.8.8 8.8.4.4]
root@d300c5f17207:/# apt-get update
Err http://archive.ubuntu.com precise InRelease
0% [Connecting to archive.ubuntu.com]
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/InRelease  
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/Release.gpg  Temporary failure resolving 'archive.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

Here is the ufw log showing the blocked connections from the docker container.

$ sudo tail /var/log/ufw.log
Jun 30 15:41:56 localhost kernel: [61609.503199] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14886 DF PROTO=UDP SPT=60192 DPT=53 LEN=44 
Jun 30 15:42:01 localhost kernel: [61614.500867] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.4.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=16137 DF PROTO=UDP SPT=44812 DPT=53 LEN=44 
Jun 30 15:42:06 localhost kernel: [61619.498516] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14887 DF PROTO=UDP SPT=60192 DPT=53 LEN=44

I had try adding a rule using the ip.

$ sudo ufw allow in from 172.16.42.2
$ sudo ufw allow out from 172.16.42.2

And have no change is still blocked.

How can I esily allow all connections from the container to outside with a ufw rule?

解决方案

Maybe this is due to the current version, but the current answer doesn't work on my system (Docker 0.7.2 with base Ubuntu image).

The solution is explained here in the official Docker documentation.

For the lazy ones:

• edit /etc/default/ufw to change DEFAULT_FORWARD_POLICY's value to "ACCEPT",
• reload with [sudo] ufw reload.

This ensures ufw forward your traffic to the Docker's bridged network (as of my current understanding of these things...).

这篇关于我的防火墙阻止从docker容器到外部的网络连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！