내 DOCKER 컨테이너에 LAMP 이미지를 사용하고 있으며 Apache access.log에서 모든 요청은 동일한 IP 주소(172.17.0.1)에서 오고 있습니다. 브릿지 IP 입니다. 내 질문은: Synology에서 Docker 컨테이너로 IP를 전달할 수 있습니까? 아니면 여기서 뭔가 잘못하고 있고 컨테이너/Synology 구성에 뭔가가 누락된 것일까요?
iptables에 관한 @SYN의 제안에 따라 누군가 어떤 규칙을 변경해야 하며 무엇을 변경해야 하는지 말해 줄 수 있습니까?
Synology(Docker 호스트)에 대한 내 NAT 규칙은 다음과 같습니다.
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DEFAULT_OUTPUT
-N DEFAULT_POSTROUTING
-N DEFAULT_PREROUTING
-N DOCKER
-A PREROUTING -j DEFAULT_PREROUTING
-A OUTPUT -j DEFAULT_OUTPUT
-A POSTROUTING -j DEFAULT_POSTROUTING
-A DEFAULT_OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
-A DEFAULT_POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A DEFAULT_POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DEFAULT_POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
-A DEFAULT_PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -p tcp -m tcp --dport 40001 -j DNAT --to-destination 172.17.0.2:3306
-A DOCKER -p tcp -m tcp --dport 40000 -j DNAT --to-destination 172.17.0.2:80
기본 테이블은 다음과 같습니다.
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DEFAULT_FORWARD
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DEFAULT_FORWARD
-A DEFAULT_FORWARD -j DOCKER-USER
-A DEFAULT_FORWARD -j DOCKER-ISOLATION-STAGE-1
-A DEFAULT_FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DEFAULT_FORWARD -o docker0 -j DOCKER
-A DEFAULT_FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A DEFAULT_FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
자세한 출력 :
admin@SynologyCluster:/$ sudo iptables -vL
Chain INPUT (policy ACCEPT 2954K packets, 2329M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DEFAULT_FORWARD all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 2741K packets, 16G bytes)
pkts bytes target prot opt in out source destination
Chain DEFAULT_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- any any anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:mysql
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere
admin@SynologyCluster:/$ sudo iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 10733 packets, 1338K bytes)
pkts bytes target prot opt in out source destination
342K 36M DEFAULT_PREROUTING all -- any any anywhere anywhere
Chain INPUT (policy ACCEPT 10702 packets, 1334K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8937 packets, 554K bytes)
pkts bytes target prot opt in out source destination
36669 2325K DEFAULT_OUTPUT all -- any any anywhere anywhere
Chain POSTROUTING (policy ACCEPT 8937 packets, 554K bytes)
pkts bytes target prot opt in out source destination
26637 1655K DEFAULT_POSTROUTING all -- any any anywhere anywhere
Chain DEFAULT_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
19352 1183K DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain DEFAULT_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:mysql
7 420 MASQUERADE all -- any docker0 anywhere anywhere ADDRTYPE match src-type LOCAL
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:http
Chain DEFAULT_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
234K 15M DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:40001 to:172.17.0.2:3306
12 720 DNAT tcp -- any any anywhere anywhere tcp dpt:40000 to:172.17.0.2:80
제가 이해한 바로는 이 NAT 규칙을 변경해야 합니다.
-A DEFAULT_POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
내 생각이 맞나요? 아직 확실하지 않으며 이것을 엉망으로 만들고 싶지 않습니다.
답변1
이것이 귀하의 경우에 적용되는지 확실하지 않지만 클라이언트 IP를 보는 Pi-hole에서 작동했습니다(언급한 대로).여기):
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
이는 영구적이지 않으므로 NAS를 다시 시작하면 다시 적용해야 합니다.