Docker暴露港口疯狂 [英] Docker exposing ports madness
问题描述
Nginx通过9000 / tcp的内部端口转发连接到PHP。 PHP通过内部转发连接到mysql。
Nginx可以在公共网卡上访问
另一个运行postfix的容器是基于相同的baseimage,配置/启动与Nginx容器完全一样,但是端口不能从互联网访问。
nginx和postfix都以相同的方式曝光,所以为什么后缀不可达?
nginx(Dockerfile)
...
EXPOSE 80 / tcp 443 / tcp
...
postfix(Dockerfile)
...
EXPOSE 25 / tcp 465 / tcp 587 / tcp
...
docker-compose.yml
... nginx
ports:
- 80:80 / tcp
- 443:443 / tcp
...
和
... postfix
ports:
- 25:25 / tcp
- 465:465 / tcp
- 587:587 / tcp
...
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
550cf81ccfc3 nginxnginx -g'daemon ...17分钟前上17分0.0.0.0:80->80/tcp,0.0.0.0:443->443/tcp nginx
5b1b823c8b75 postfix/run.sh17分钟前上17分0.0.0.0:25->25/tcp,0.0.0.0:465->465/tcp,0.0.0.0:587->587/ tcp postfix
f7541058c973 phpphp5-fpm -F17分钟前上17分钟9000 / tcp php
ad1d1db33351 mysql/ sbin / entrypoint ....17分钟前Up 17分钟3306 / tcp mysql
netstat -a
Aktive Internetverbindungen(Nur服务器)
Proto Recv-Q Send-Q本地地址外部地址状态PID /程序名称
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 464 / sshd
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 461 / rsyslogd
tcp6 0 0 ::: 25 ::: * LISTEN 24924 / docker-代理
tcp6 0 0 ::: 443 ::: * LISTEN 24937 / docker-proxy
tcp6 0 0 ::: 514 ::: * LISTEN 461 / rsyslogd
tcp6 0 0 :: :587 ::: * LISTEN 24899 / docker-proxy
tcp6 0 0 ::: 80 ::: * LISTEN 24975 / docker-proxy
tcp6 0 0 ::: 465 ::: * LISTEN 24912 / docker-proxy
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A DOCKER -d 172.17.0.4/32! -i docker0 -o docker0 -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.17.0.6/32! -i docker0 -o docker0 -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.17.0.6/32! -i docker0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER -d 172.17.0.7/32! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.7/32! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
Telnet on所有ips:ports从docker主机工作正常。
nmap从外面到公共ip:
25:过滤
80:打开
110:过滤(虽然没有服务运行,〜*奇怪*〜)
443:打开
465:过滤
587:过滤
uname -a
Linux h2127057 3.16.0-4-amd64#1 SMP Debian 3.16.39-1 + deb8u2(2017-03-07)x86_64 GNU / Linux
如何知道解决方案?
一个简单的服务器重新启动修复它!很蠢: - (
I've got several docker containers up and running using docker-compose. Nginx connected to PHP through internal port-forwarding at 9000/tcp. PHP connected to mysql through internal forwarding. Nginx is reachable at public NIC!
Another container running postfix is based on the same baseimage and configured/launched exactly the same as the Nginx-container but its ports are not accessible from the internet.
Both nginx and postfix are exposing the same way, so why is postfix not reachable??
nginx (Dockerfile)
...
EXPOSE 80/tcp 443/tcp
...
postfix (Dockerfile)
...
EXPOSE 25/tcp 465/tcp 587/tcp
...
docker-compose.yml
...nginx
ports:
- "80:80/tcp"
- "443:443/tcp"
...
and
...postfix
ports:
- "25:25/tcp"
- "465:465/tcp"
- "587:587/tcp"
...
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
550cf81ccfc3 nginx "nginx -g 'daemon ..." 17 minutes ago Up 17 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp nginx
5b1b823c8b75 postfix "/run.sh" 17 minutes ago Up 17 minutes 0.0.0.0:25->25/tcp, 0.0.0.0:465->465/tcp, 0.0.0.0:587->587/tcp postfix
f7541058c973 php "php5-fpm -F" 17 minutes ago Up 17 minutes 9000/tcp php
ad1d1db33351 mysql "/sbin/entrypoint...." 17 minutes ago Up 17 minutes 3306/tcp mysql
netstat -a
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 464/sshd
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 461/rsyslogd
tcp6 0 0 :::25 :::* LISTEN 24924/docker-proxy
tcp6 0 0 :::443 :::* LISTEN 24937/docker-proxy
tcp6 0 0 :::514 :::* LISTEN 461/rsyslogd
tcp6 0 0 :::587 :::* LISTEN 24899/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 24975/docker-proxy
tcp6 0 0 :::465 :::* LISTEN 24912/docker-proxy
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
Telnet on all ips:ports works fine from docker host.
nmap from outside to public ip:
25: filtered
80: open
110: filtered (although there is no service running, ~* weird *~)
443: open
465: filtered
587: filtered
uname -a
Linux h2127057 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
How knows the solution??
A simple server reboot fixed it! Pretty stupid. :-(
这篇关于Docker暴露港口疯狂的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!