내 호스트에는 다음이 있습니다.
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "wlp2s0f0u8";
내 컨테이너에서는 다음을 정의합니다.
containers.nixbincache = {
privateNetwork = true;
hostAddress = "192.168.140.10";
localAddress = "192.168.140.11";
...
그러나 컨테이너는 외부에서 인터넷에 접속할 수 없습니다. 외부 액세스를 활성화하려면 어떻게 해야 합니까?
네트워크 디버깅을 수행하십시오.
컨테이너에서:
curl -v 116.203.70.99
호스트 머신에서:
sudo tshark -f "tcp port 80" -i ve-nixbincache
Running as user "root" and group "root". This could be dangerous.
Capturing on 've-nixbincache'
1 0.000000000 192.168.140.11 → 116.203.70.99 TCP 74 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266433161 TSecr=0 WS=128
2 1.062641113 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266434223 TSecr=0 WS=128
3 3.110640768 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266436271 TSecr=0 WS=128
4 7.142641875 192.168.140.11 → 116.203.70.99 TCP 74 [TCP Retransmission] 59266 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1266440303 TSecr=0 WS=128
또는 다음과 같이 tcpdump
:
sudo tcpdump -i ve-nixbincache
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ve-nixbincache, link-type EN10MB (Ethernet), capture size 262144 bytes
20:27:27.351572 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273487804 ecr 0,nop,wscale 7], length 0
20:27:28.399000 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273488851 ecr 0,nop,wscale 7], length 0
20:27:30.447027 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273490899 ecr 0,nop,wscale 7], length 0
20:27:32.367015 ARP, Request who-has blueberry tell nixbincache.containers, length 28
20:27:32.367029 ARP, Reply blueberry is-at 66:3f:59:d4:10:c5 (oui Unknown), length 28
20:27:34.479001 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273494931 ecr 0,nop,wscale 7], length 0
20:27:42.606992 IP nixbincache.containers.60420 > static.99.70.203.116.clients.your-server.de.http: Flags [S], seq 1100520269, win 29200, options [mss 1460,sackOK,TS val 1273503059 ecr 0,nop,wscale 7], length 0
호스트 머신에서:
iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 4487 packets, 758K bytes)
pkts bytes target prot opt in out source destination
4488 758K nixos-nat-pre all -- any any anywhere anywhere
2 120 DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17558 packets, 1296K bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 17584 packets, 1299K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any !docker0 172.17.0.0/16 anywhere
15 960 MASQUERADE all -- any !br-3a2c30a19c92 172.20.0.0/16 anywhere
34 2615 MASQUERADE all -- any !br-88eb2b109258 172.18.0.0/16 anywhere
42 3423 MASQUERADE all -- any !br-8510145730df 172.19.0.0/16 anywhere
17584 1299K LIBVIRT_PRT all -- any any anywhere anywhere
17604 1300K nixos-nat-post all -- any any anywhere anywhere
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 any anywhere anywhere
0 0 RETURN all -- br-3a2c30a19c92 any anywhere anywhere
0 0 RETURN all -- br-88eb2b109258 any anywhere anywhere
0 0 RETURN all -- br-8510145730df any anywhere anywhere
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any 192.168.122.0/24 base-address.mcast.net/24
0 0 RETURN all -- any any 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- any any 192.168.122.0/24 !192.168.122.0/24
Chain nixos-nat-post (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any wlp2s0f0u8 anywhere anywhere mark match 0x1
Chain nixos-nat-pre (1 references)
pkts bytes target prot opt in out source destination
72 5330 MARK all -- ve-+ any anywhere anywhere MARK set 0x1
컨테이너에서:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.140.10 0.0.0.0 UG 0 0 0 eth0
192.168.140.10 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
컨테이너 추적 경로에서:
[root@nixbincache:~]# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 _gateway (192.168.140.10) 0.043 ms 0.010 ms 0.009 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
답변1
을 실행하여 작동합니다 iptables -t nat -A POSTROUTING -o wlp2s0f0u7 -j MASQUERADE
.
다음은 iptable 규칙의 출력입니다.
sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 154 packets, 22783 bytes)
pkts bytes target prot opt in out source destination
203 29566 nixos-nat-pre all -- any any anywhere anywhere
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 26 packets, 2466 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 400 bytes)
pkts bytes target prot opt in out source destination
66 5673 nixos-nat-post all -- any any anywhere anywhere
25 2126 MASQUERADE all -- any wlp2s0f0u7 anywhere anywhere
Chain DOCKER (0 references)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_PRT (0 references)
pkts bytes target prot opt in out source destination
Chain nixos-nat-post (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any wlp2s0f0u8 anywhere anywhere mark match 0x1
Chain nixos-nat-pre (1 references)
pkts bytes target prot opt in out source destination
2 120 MARK all -- ve-+ any anywhere anywhere MARK set 0x1