개인 네트워크를 통해 nixos 컨테이너에 대한 인터넷 액세스를 활성화하는 방법

개인 네트워크를 통해 nixos 컨테이너에 대한 인터넷 액세스를 활성화하는 방법

내 호스트에는 다음이 있습니다.

    networking.nat.enable = true;
    networking.nat.internalInterfaces = ["ve-+"];
    networking.nat.externalInterface = "wlp2s0f0u8";

내 컨테이너에서는 다음을 정의합니다.

  containers.nixbincache = {
    privateNetwork = true;
    hostAddress = "192.168.140.10";
    localAddress = "192.168.140.11";
...

그러나 컨테이너는 외부에서 인터넷에 접속할 수 없습니다. 외부 액세스를 활성화하려면 어떻게 해야 합니까?


네트워크 디버깅을 수행하십시오.

컨테이너에서:

curl -v 116.203.70.99

호스트 머신에서:

sudo tshark -f "tcp port 80" -i ve-nixbincache
Running as user "root" and group "root". This could be dangerous.
Capturing on 've-nixbincache'
    1 0.000000000 192.168.140.11 → 116.203.70.99 TCP 74 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266433161 TSecr=0 WS=128
    2 1.062641113 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266434223 TSecr=0 WS=128
    3 3.110640768 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266436271 TSecr=0 WS=128
    4 7.142641875 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266440303 TSecr=0 WS=128

또는 다음과 같이 tcpdump:

sudo tcpdump -i ve-nixbincache
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ve-nixbincache, link-type EN10MB (Ethernet), capture size 262144 bytes
20:27:27.351572 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273487804 ecr 0,nop,wscale 7], length 0
20:27:28.399000 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273488851 ecr 0,nop,wscale 7], length 0
20:27:30.447027 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273490899 ecr 0,nop,wscale 7], length 0
20:27:32.367015 ARP, Request who-has blueberry tell nixbincache.containers, length 28
20:27:32.367029 ARP, Reply blueberry is-at 66:3f:59:d4:10:c5 (oui Unknown), length 28
20:27:34.479001 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273494931 ecr 0,nop,wscale 7], length 0
20:27:42.606992 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273503059 ecr 0,nop,wscale 7], length 0

호스트 머신에서:

iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 4487 packets, 758K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4488  758K nixos-nat-pre  all  --  any    any     anywhere             anywhere            
    2   120 DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 17558 packets, 1296K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  any    any     anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 17584 packets, 1299K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            
   15   960 MASQUERADE  all  --  any    !br-3a2c30a19c92  172.20.0.0/16        anywhere            
   34  2615 MASQUERADE  all  --  any    !br-88eb2b109258  172.18.0.0/16        anywhere            
   42  3423 MASQUERADE  all  --  any    !br-8510145730df  172.19.0.0/16        anywhere            
17584 1299K LIBVIRT_PRT  all  --  any    any     anywhere             anywhere            
17604 1300K nixos-nat-post  all  --  any    any     anywhere             anywhere            

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 any     anywhere             anywhere            
    0     0 RETURN     all  --  br-3a2c30a19c92 any     anywhere             anywhere            
    0     0 RETURN     all  --  br-88eb2b109258 any     anywhere             anywhere            
    0     0 RETURN     all  --  br-8510145730df any     anywhere             anywhere            

Chain LIBVIRT_PRT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     192.168.122.0/24     base-address.mcast.net/24 
    0     0 RETURN     all  --  any    any     192.168.122.0/24     255.255.255.255     
    0     0 MASQUERADE  tcp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  any    any     192.168.122.0/24    !192.168.122.0/24    

Chain nixos-nat-post (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    wlp2s0f0u8  anywhere             anywhere             mark match 0x1

Chain nixos-nat-pre (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   72  5330 MARK       all  --  ve-+   any     anywhere             anywhere             MARK set 0x1

컨테이너에서:

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.140.10  0.0.0.0         UG    0      0        0 eth0
192.168.140.10  0.0.0.0         255.255.255.255 UH    0      0        0 eth0

컨테이너 추적 경로에서:

[root@nixbincache:~]# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  _gateway (192.168.140.10)  0.043 ms  0.010 ms  0.009 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

답변1

을 실행하여 작동합니다 iptables -t nat -A POSTROUTING -o wlp2s0f0u7 -j MASQUERADE.

다음은 iptable 규칙의 출력입니다.

sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 154 packets, 22783 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  203 29566 nixos-nat-pre  all  --  any    any     anywhere             anywhere            

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 26 packets, 2466 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 2 packets, 400 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   66  5673 nixos-nat-post  all  --  any    any     anywhere             anywhere            
   25  2126 MASQUERADE  all  --  any    wlp2s0f0u7  anywhere             anywhere            

Chain DOCKER (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain LIBVIRT_PRT (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain nixos-nat-post (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    wlp2s0f0u8  anywhere             anywhere             mark match 0x1

Chain nixos-nat-pre (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 MARK       all  --  ve-+   any     anywhere             anywhere             MARK set 0x1

관련 정보