Apache 브리지 컨테이너를 사용한 Docker IP 전달

Apache 브리지 컨테이너를 사용한 Docker IP 전달

내 DOCKER 컨테이너에 LAMP 이미지를 사용하고 있으며 Apache access.log에서 모든 요청은 동일한 IP 주소(172.17.0.1)에서 오고 있습니다. 브릿지 IP 입니다. 내 질문은: Synology에서 Docker 컨테이너로 IP를 전달할 수 있습니까? 아니면 여기서 뭔가 잘못하고 있고 컨테이너/Synology 구성에 뭔가가 누락된 것일까요?

iptables에 관한 @SYN의 제안에 따라 누군가 어떤 규칙을 변경해야 하며 무엇을 변경해야 하는지 말해 줄 수 있습니까?

Synology(Docker 호스트)에 대한 내 NAT 규칙은 다음과 같습니다.

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DEFAULT_OUTPUT
-N DEFAULT_POSTROUTING
-N DEFAULT_PREROUTING
-N DOCKER
-A PREROUTING -j DEFAULT_PREROUTING
-A OUTPUT -j DEFAULT_OUTPUT
-A POSTROUTING -j DEFAULT_POSTROUTING
-A DEFAULT_OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
-A DEFAULT_POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A DEFAULT_POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DEFAULT_POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
-A DEFAULT_PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -p tcp -m tcp --dport 40001 -j DNAT --to-destination 172.17.0.2:3306
-A DOCKER -p tcp -m tcp --dport 40000 -j DNAT --to-destination 172.17.0.2:80

기본 테이블은 다음과 같습니다.

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DEFAULT_FORWARD
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DEFAULT_FORWARD
-A DEFAULT_FORWARD -j DOCKER-USER
-A DEFAULT_FORWARD -j DOCKER-ISOLATION-STAGE-1
-A DEFAULT_FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DEFAULT_FORWARD -o docker0 -j DOCKER
-A DEFAULT_FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A DEFAULT_FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

자세한 출력 :

admin@SynologyCluster:/$ sudo iptables -vL
Chain INPUT (policy ACCEPT 2954K packets, 2329M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DEFAULT_FORWARD  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 2741K packets, 16G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DEFAULT_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-USER  all  --  any    any     anywhere             anywhere
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.2           tcp dpt:mysql
    0     0 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.2           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere
    0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    docker0  anywhere             anywhere
    0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  any    any     anywhere             anywhere
admin@SynologyCluster:/$ sudo iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 10733 packets, 1338K bytes)
 pkts bytes target     prot opt in     out     source               destination
 342K   36M DEFAULT_PREROUTING  all  --  any    any     anywhere             anywhere

Chain INPUT (policy ACCEPT 10702 packets, 1334K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 8937 packets, 554K bytes)
 pkts bytes target     prot opt in     out     source               destination
36669 2325K DEFAULT_OUTPUT  all  --  any    any     anywhere             anywhere

Chain POSTROUTING (policy ACCEPT 8937 packets, 554K bytes)
 pkts bytes target     prot opt in     out     source               destination
26637 1655K DEFAULT_POSTROUTING  all  --  any    any     anywhere             anywhere

Chain DEFAULT_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
19352 1183K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain DEFAULT_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  tcp  --  any    any     172.17.0.2           172.17.0.2           tcp dpt:mysql
    7   420 MASQUERADE  all  --  any    docker0  anywhere             anywhere             ADDRTYPE match src-type LOCAL
    0     0 MASQUERADE  tcp  --  any    any     172.17.0.2           172.17.0.2           tcp dpt:http

Chain DEFAULT_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
 234K   15M DOCKER     all  --  any    any     anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:40001 to:172.17.0.2:3306
   12   720 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:40000 to:172.17.0.2:80

제가 이해한 바로는 이 NAT 규칙을 변경해야 합니다.

-A DEFAULT_POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE

내 생각이 맞나요? 아직 확실하지 않으며 이것을 엉망으로 만들고 싶지 않습니다.

답변1

이것이 귀하의 경우에 적용되는지 확실하지 않지만 클라이언트 IP를 보는 Pi-hole에서 작동했습니다(언급한 대로).여기):

sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

이는 영구적이지 않으므로 NAS를 다시 시작하면 다시 적용해야 합니다.

관련 정보