No soy un gran usuario de sistemas basados en Unix. Y tengo algunos problemas para abrir el puerto de un servidor (80) al público y redirigirlo a un contenedor en ejecución.
Básicamente, tengo un contenedor en ejecución en un servidor Ubuntu en ejecución (IP 167.86.106.109), la IP del contenedor es 127.0.200.1 (y el puerto 80 está abierto).
Ejecutando TELNET 127.0.200.1 80en 167.86.106.109 y puedo hacer un GET que devuelve 200. Desde afuera tengo un tiempo de espera
Hice lo siguiente pero todavía no puedo acceder a 167.86.106.109 en el puerto 80 desde afuera (error de tiempo de espera):
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables -t nat -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables-save > /etc/iptables.rules
ufw allow http
Evidentemente he hecho algo mal, pero ¿qué?
Salida de docker ps:
2f7617d72299 polk-auction-ui:latest "/docker-entrypoint.…" 52 minutes ago Up 52 minutes 127.0.200.1:80->80/tcp polk-auction-ui
Esto está en Ubuntu 20.04 (64 bits). El contenedor es un contenedor Docker (v 20.10.14)
Más información sobre mi configuración actual:
El sistema operativo (IP 167.86.106.109) se ejecuta en un VPS, el contenedor acoplable al que quiero acceder desde el exterior ejecuta un nginx con la siguiente configuración:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
#include /etc/nginx/conf.d/*.conf;
server {
listen 80;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
#try_files $uri =404;
}
}
}
El resultado de ufw status verbose:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
30333 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
30333 (v6) ALLOW IN Anywhere (v6)
El resultado de iptables -L -v -n: (Mucho proviene de la propia ventana acoplable)
Chain INPUT (policy DROP 37 packets, 2168 bytes)
pkts bytes target prot opt in out source destination
32669 4524K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
2374K 1737M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
2374K 1737M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
274K 16M ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
167M 118G DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
167M 118G DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
888K 166M ACCEPT all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
19186 1150K DOCKER all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-4c0567f529d0 !br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
19186 1150K ACCEPT all -- br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
51M 59G ACCEPT all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3433 971K DOCKER all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
39M 3429M ACCEPT all -- br-56fce7b8bc16 !br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
3397 969K ACCEPT all -- br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
42M 53G ACCEPT all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3397 969K DOCKER all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
33M 2699M ACCEPT all -- br-9316082e3f65 !br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
3397 969K ACCEPT all -- br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
37132 233M ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
13310 1453K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1835K 83M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1835K 83M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 172.18.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 172.20.0.2 tcp dpt:3306
0 0 ACCEPT tcp -- !br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 172.20.0.3 tcp dpt:8080
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.5 tcp dpt:30333
0 0 ACCEPT tcp -- !br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 172.18.0.5 tcp dpt:30333
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.3 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-4c0567f529d0 !br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
39M 3429M DOCKER-ISOLATION-STAGE-2 all -- br-56fce7b8bc16 !br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
33M 2699M DOCKER-ISOLATION-STAGE-2 all -- br-9316082e3f65 !br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
13310 1453K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
167M 118G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
73M 6129M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
167M 118G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
28666 4185K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
81 4104 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
11583 599K ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
12797 753K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
5083 453K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
41195 5355K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4634 827K ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4634 827K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
4586 357K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
211K 74M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
1823K 109M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
1823K 109M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
5089 453K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1722K 74M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2488 227K ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
3643 763K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
671 48807 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
1823K 109M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
11664 603K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
346 43729 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
1599 153K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
2237 132K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2240 114K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1663K 100M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30333
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:30333
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
EDITAR:
La ventana acoplable-compose utilizó:
version: "3.8"
networks:
polkadot:
external: true
kusama:
external: true
services:
polk-auction-ui:
image: polk-auction-ui:latest
container_name: polk-auction-ui
ports:
- "127.0.200.1:80:80"
networks:
- polkadot
- kusama
la imagen está construida así:
# Build step
FROM node:14 as build
WORKDIR /app
COPY package.json yarn.lock ./
RUN yarn install
COPY . ./
RUN yarn build:prod
# Run step
FROM nginx:stable-alpine
COPY nginx.conf /etc/nginx/nginx.conf
COPY --from=build /app/dist /usr/share/nginx/html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
Respuesta1
127.0.0.0/8es la interfaz loopback, también conocida como localhost. Para publicar en todas las interfaces, puede eliminar la dirección IP del puerto publicado:
version: "3.8"
networks:
polkadot:
external: true
kusama:
external: true
services:
polk-auction-ui:
image: polk-auction-ui:latest
container_name: polk-auction-ui
ports:
- "80:80"
networks:
- polkadot
- kusama