나는 Unix 기반 시스템을 많이 사용하는 사람이 아닙니다. 그리고 서버의 포트(80)를 공개적으로 열고 이를 실행 중인 컨테이너로 리디렉션하는 데 문제가 있습니다.
따라서 기본적으로 실행 중인 Ubuntu 서버(IP 167.86.106.109)에 실행 중인 컨테이너가 있고, 컨테이너의 IP는 127.0.200.1입니다(포트 80이 열려 있음).
167.86.106.109에서 실행 TELNET 127.0.200.1 80하면 200을 반환하는 GET을 수행할 수 있습니다. 외부에서는 시간 초과가 발생합니다.
다음을 수행했지만 여전히 외부에서 포트 80의 167.86.106.109에 액세스할 수 없습니다(시간 초과 오류).
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables -t nat -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables-save > /etc/iptables.rules
ufw allow http
분명히 내가 뭔가 잘못한 것 같은데, 뭐?
출력 docker ps:
2f7617d72299 polk-auction-ui:latest "/docker-entrypoint.…" 52 minutes ago Up 52 minutes 127.0.200.1:80->80/tcp polk-auction-ui
이것은 Ubuntu 20.04(64비트)에 있습니다. 컨테이너는 Docker 컨테이너입니다(v 20.10.14).
현재 설정에 대한 추가 정보:
OS(IP 167.86.106.109)는 VPS에서 실행되고 있으며 외부에서 연결하려는 도커 컨테이너는 다음 구성으로 nginx를 실행하고 있습니다.
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
#include /etc/nginx/conf.d/*.conf;
server {
listen 80;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
#try_files $uri =404;
}
}
}
결과 ufw status verbose:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
30333 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
30333 (v6) ALLOW IN Anywhere (v6)
출력 iptables -L -v -n: (많은 부분이 docker 자체에서 나옵니다)
Chain INPUT (policy DROP 37 packets, 2168 bytes)
pkts bytes target prot opt in out source destination
32669 4524K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
2374K 1737M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
2374K 1737M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
274K 16M ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
167M 118G DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
167M 118G DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
888K 166M ACCEPT all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
19186 1150K DOCKER all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-4c0567f529d0 !br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
19186 1150K ACCEPT all -- br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
51M 59G ACCEPT all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3433 971K DOCKER all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
39M 3429M ACCEPT all -- br-56fce7b8bc16 !br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
3397 969K ACCEPT all -- br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
42M 53G ACCEPT all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3397 969K DOCKER all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
33M 2699M ACCEPT all -- br-9316082e3f65 !br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
3397 969K ACCEPT all -- br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
37132 233M ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
13310 1453K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1835K 83M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1835K 83M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 172.18.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 172.20.0.2 tcp dpt:3306
0 0 ACCEPT tcp -- !br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 172.20.0.3 tcp dpt:8080
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.5 tcp dpt:30333
0 0 ACCEPT tcp -- !br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 172.18.0.5 tcp dpt:30333
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.3 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-4c0567f529d0 !br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
39M 3429M DOCKER-ISOLATION-STAGE-2 all -- br-56fce7b8bc16 !br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
33M 2699M DOCKER-ISOLATION-STAGE-2 all -- br-9316082e3f65 !br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
13310 1453K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
167M 118G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
73M 6129M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
167M 118G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
28666 4185K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
81 4104 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
11583 599K ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
12797 753K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
5083 453K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
41195 5355K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4634 827K ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4634 827K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
4586 357K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
211K 74M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
1823K 109M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
1823K 109M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
5089 453K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1722K 74M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2488 227K ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
3643 763K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
671 48807 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
1823K 109M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
11664 603K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
346 43729 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
1599 153K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
2237 132K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2240 114K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1663K 100M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30333
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:30333
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
편집하다:
사용된 docker-compose:
version: "3.8"
networks:
polkadot:
external: true
kusama:
external: true
services:
polk-auction-ui:
image: polk-auction-ui:latest
container_name: polk-auction-ui
ports:
- "127.0.200.1:80:80"
networks:
- polkadot
- kusama
이미지는 다음과 같이 구성됩니다.
# Build step
FROM node:14 as build
WORKDIR /app
COPY package.json yarn.lock ./
RUN yarn install
COPY . ./
RUN yarn build:prod
# Run step
FROM nginx:stable-alpine
COPY nginx.conf /etc/nginx/nginx.conf
COPY --from=build /app/dist /usr/share/nginx/html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
답변1
127.0.0.0/8루프백 인터페이스(일명 localhost)입니다. 모든 인터페이스에 게시하려면 게시된 포트에서 IP 주소를 제거하면 됩니다.
version: "3.8"
networks:
polkadot:
external: true
kusama:
external: true
services:
polk-auction-ui:
image: polk-auction-ui:latest
container_name: polk-auction-ui
ports:
- "80:80"
networks:
- polkadot
- kusama