Ich bin kein intensiver Benutzer von Unix-basierten Systemen. Und ich habe einige Probleme, den Port (80) eines Servers öffentlich zu öffnen und ihn auf einen laufenden Container umzuleiten.
Im Grunde habe ich also einen laufenden Container auf einem laufenden Ubuntu-Server (IP 167.86.106.109), die IP des Containers ist 127.0.200.1 (und Port 80 ist offen).
Läuft TELNET 127.0.200.1 80auf 167.86.106.109 und ich kann ein GET ausführen, das 200 zurückgibt. Von außerhalb habe ich ein Timeout
Ich habe Folgendes getan, kann aber immer noch nicht von außen auf 167.86.106.109 auf Port 80 zugreifen (Timeout-Fehler):
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables -t nat -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables-save > /etc/iptables.rules
ufw allow http
Offensichtlich habe ich etwas falsch gemacht, aber was?
Ausgabe von docker ps:
2f7617d72299 polk-auction-ui:latest "/docker-entrypoint.…" 52 minutes ago Up 52 minutes 127.0.200.1:80->80/tcp polk-auction-ui
Dies ist auf Ubuntu 20.04 (64 Bit). Der Container ist ein Docker-Container (v 20.10.14)
Weitere Informationen zu meinem aktuellen Setup:
Das Betriebssystem (IP 167.86.106.109) läuft auf einem VPS, der Docker-Container, auf den ich von außen zugreifen möchte, läuft auf einem Nginx mit der folgenden Konfiguration:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
#include /etc/nginx/conf.d/*.conf;
server {
listen 80;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
#try_files $uri =404;
}
}
}
Das Ergebnis von ufw status verbose:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
30333 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
30333 (v6) ALLOW IN Anywhere (v6)
Die Ausgabe von iptables -L -v -n: (Vieles kommt vom Docker selbst)
Chain INPUT (policy DROP 37 packets, 2168 bytes)
pkts bytes target prot opt in out source destination
32669 4524K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
2374K 1737M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
2374K 1737M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
274K 16M ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
167M 118G DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
167M 118G DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
888K 166M ACCEPT all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
19186 1150K DOCKER all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-4c0567f529d0 !br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
19186 1150K ACCEPT all -- br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
51M 59G ACCEPT all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3433 971K DOCKER all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
39M 3429M ACCEPT all -- br-56fce7b8bc16 !br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
3397 969K ACCEPT all -- br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
42M 53G ACCEPT all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3397 969K DOCKER all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
33M 2699M ACCEPT all -- br-9316082e3f65 !br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
3397 969K ACCEPT all -- br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
37132 233M ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
13310 1453K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1835K 83M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1835K 83M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 172.18.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 172.20.0.2 tcp dpt:3306
0 0 ACCEPT tcp -- !br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 172.20.0.3 tcp dpt:8080
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.5 tcp dpt:30333
0 0 ACCEPT tcp -- !br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 172.18.0.5 tcp dpt:30333
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.3 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-4c0567f529d0 !br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
39M 3429M DOCKER-ISOLATION-STAGE-2 all -- br-56fce7b8bc16 !br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
33M 2699M DOCKER-ISOLATION-STAGE-2 all -- br-9316082e3f65 !br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
13310 1453K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
167M 118G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
73M 6129M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
167M 118G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
28666 4185K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
81 4104 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
11583 599K ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
12797 753K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
5083 453K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
41195 5355K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4634 827K ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4634 827K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
4586 357K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
211K 74M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
1823K 109M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
1823K 109M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
5089 453K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1722K 74M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2488 227K ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
3643 763K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
671 48807 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
1823K 109M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
11664 603K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
346 43729 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
1599 153K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
2237 132K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2240 114K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1663K 100M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30333
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:30333
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
BEARBEITEN:
Das verwendete Docker-Compose:
version: "3.8"
networks:
polkadot:
external: true
kusama:
external: true
services:
polk-auction-ui:
image: polk-auction-ui:latest
container_name: polk-auction-ui
ports:
- "127.0.200.1:80:80"
networks:
- polkadot
- kusama
Das Bild ist wie folgt aufgebaut:
# Build step
FROM node:14 as build
WORKDIR /app
COPY package.json yarn.lock ./
RUN yarn install
COPY . ./
RUN yarn build:prod
# Run step
FROM nginx:stable-alpine
COPY nginx.conf /etc/nginx/nginx.conf
COPY --from=build /app/dist /usr/share/nginx/html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
Antwort1
127.0.0.0/8ist die Loopback-Schnittstelle, auch bekannt als localhost. Um auf allen Schnittstellen zu veröffentlichen, können Sie die IP-Adresse vom veröffentlichten Port entfernen:
version: "3.8"
networks:
polkadot:
external: true
kusama:
external: true
services:
polk-auction-ui:
image: polk-auction-ui:latest
container_name: polk-auction-ui
ports:
- "80:80"
networks:
- polkadot
- kusama