로컬 네트워크 실험을 시도했지만 네임스페이스 네트워크 내에서 ping을 수행할 수 없습니다.
저는 페도라 37을 사용하고 있습니다.
Linux dmitry-desktop 6.1.18-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Mar 11 16:09:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
다음 오류가 발생합니다.
➜ sudo ip netns exec netns-test0 ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered
설정
➜ sudo ip netns add netns-test0
➜ sudo ip netns add netns-test1
➜ ls -la /var/run/netns
total 0
drwxr-xr-x. 2 root root 80 Mar 22 13:42 .
drwxr-xr-x. 63 root root 1.7K Mar 22 12:55 ..
-r--r--r--. 1 root root 0 Mar 22 13:42 netns-test0
-r--r--r--. 1 root root 0 Mar 22 13:42 netns-test1
➜ sudo ip link add eth00 type veth peer name eth01
➜ sudo ip link add eth10 type veth peer name eth11
➜ sudo ip link set eth00 up
➜ sudo ip link set eth01 up
➜ sudo ip link set eth01 netns netns-test0
➜ sudo ip link set eth11 netns netns-test1
➜ sudo ip netns exec netns-test0 ip link set lo up
➜ sudo ip netns exec netns-test0 ip link set eth01 up
➜ sudo ip netns exec netns-test0 ip addr 10.10.10.10/24 dev eth01
Command "10.10.10.10/24" is unknown, try "ip address help".
➜ sudo ip netns exec netns-test0 ip addr add 10.10.10.10/24 dev eth01
➜ sudo ip netns exec netns-test1 ip link set lo up
➜ sudo ip netns exec netns-test1 ip link set eth11 up
➜ sudo ip netns exec netns-test1 ip addr add 10.10.10.11/24 dev eth11
➜ sudo ip link add name br0 type bridge
➜ sudo ip addr add 10.10.10.1/24 brd + dev br0
➜ sudo ip link set br0 up
➜ sudo ip link set eth00 master br0
➜ sudo ip link set eth10 master br0
➜ sudo bridge link show br0
20: eth00@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 2
22: eth10@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 2
➜ sudo iptables -A FORWARD -i br0 -j ACCEPT
➜ sudo ip link set eth00 master br0
따라서 루트 네임스페이스에서 모든 장치와 br0을 ping할 수 있습니다.
➜ ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.057 ms
➜ ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.047 ms
64 bytes from 10.10.10.10: icmp_seq=2 ttl=64 time=0.060 ms
➜ ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
64 bytes from 10.10.10.11: icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from 10.10.10.11: icmp_seq=2 ttl=64 time=0.053 ms
그러나 네임스페이스 네트워크 내에서 ping을 시작하면 패킷이 필터링됩니다.
➜ sudo ip netns exec netns-test0 ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.021 ms
➜ sudo ip netns exec netns-test0 ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.063 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.070 ms
➜ sudo ip netns exec netns-test0 ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered
➜ sudo ip netns exec netns-test1 ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
64 bytes from 10.10.10.11: icmp_seq=1 ttl=64 time=0.018 ms
64 bytes from 10.10.10.11: icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from 10.10.10.11: icmp_seq=3 ttl=64 time=0.036 ms
➜ sudo ip netns exec netns-test1 ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.075 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=0.075 ms
took 2s
➜ sudo ip netns exec netns-test1 ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered
From 10.10.10.1 icmp_seq=4 Packet filtered
took 3s
✗ sudo ip netns exec netns-test1 ping 8.8.8.8
ping: connect: Network is unreachable
➜ sudo ip netns exec netns-test0 ping 8.8.8.8
ping: connect: Network is unreachable
➜ sudo ip -all netns exec ip route
netns: netns-test1
10.10.10.0/24 dev eth11 proto kernel scope link src 10.10.10.11
netns: netns-test0
10.10.10.0/24 dev eth01 proto kernel scope link src 10.10.10.10
➜ sudo ip -all netns exec ip route add default via 10.10.10.1
netns: netns-test1
netns: netns-test0
➜ sudo ip -all netns exec ip route
netns: netns-test1
default via 10.10.10.1 dev eth11
10.10.10.0/24 dev eth11 proto kernel scope link src 10.10.10.11
netns: netns-test0
default via 10.10.10.1 dev eth01
10.10.10.0/24 dev eth01 proto kernel scope link src 10.10.10.10
➜ sudo ip netns exec netns-test0 ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered
내 iptables 구성
➜ _ iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
95 7810 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
95 7810 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
13 1226 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
15 956 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
67 5628 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
15 956 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
95 7810 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
15 956 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
95 7810 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
방화벽:
➜ firewall-cmd --list-all
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: br0 ens1f1 eth01 eth11 vpn0
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
sudo nft 목록 규칙 세트
table inet firewalld {
ct helper helper-netbios-ns-udp {
type "netbios-ns" protocol udp
l3proto ip
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "br0" goto mangle_PRE_FedoraWorkstation
iifname "eth11" goto mangle_PRE_FedoraWorkstation
iifname "eth01" goto mangle_PRE_FedoraWorkstation
iifname "vpn0" goto mangle_PRE_FedoraWorkstation
iifname "ens1f1" goto mangle_PRE_FedoraWorkstation
iifname "docker0" goto mangle_PRE_docker
goto mangle_PRE_FedoraWorkstation
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
iifname "br0" goto nat_PRE_FedoraWorkstation
iifname "eth11" goto nat_PRE_FedoraWorkstation
iifname "eth01" goto nat_PRE_FedoraWorkstation
iifname "vpn0" goto nat_PRE_FedoraWorkstation
iifname "ens1f1" goto nat_PRE_FedoraWorkstation
iifname "docker0" goto nat_PRE_docker
goto nat_PRE_FedoraWorkstation
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
oifname "br0" goto nat_POST_FedoraWorkstation
oifname "eth11" goto nat_POST_FedoraWorkstation
oifname "eth01" goto nat_POST_FedoraWorkstation
oifname "vpn0" goto nat_POST_FedoraWorkstation
oifname "ens1f1" goto nat_POST_FedoraWorkstation
oifname "docker0" goto nat_POST_docker
goto nat_POST_FedoraWorkstation
}
chain nat_POSTROUTING_POLICIES_post {
}
chain nat_OUTPUT {
type nat hook output priority -90; policy accept;
jump nat_OUTPUT_POLICIES_pre
jump nat_OUTPUT_POLICIES_post
}
chain nat_OUTPUT_POLICIES_pre {
}
chain nat_OUTPUT_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
jump filter_INPUT_ZONES
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_FORWARD_ZONES
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "br0" goto filter_IN_FedoraWorkstation
iifname "eth11" goto filter_IN_FedoraWorkstation
iifname "eth01" goto filter_IN_FedoraWorkstation
iifname "vpn0" goto filter_IN_FedoraWorkstation
iifname "ens1f1" goto filter_IN_FedoraWorkstation
iifname "docker0" goto filter_IN_docker
goto filter_IN_FedoraWorkstation
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
}
chain filter_FORWARD_ZONES {
iifname "br0" goto filter_FWD_FedoraWorkstation
iifname "eth11" goto filter_FWD_FedoraWorkstation
iifname "eth01" goto filter_FWD_FedoraWorkstation
iifname "vpn0" goto filter_FWD_FedoraWorkstation
iifname "ens1f1" goto filter_FWD_FedoraWorkstation
iifname "docker0" goto filter_FWD_docker
goto filter_FWD_FedoraWorkstation
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_FedoraWorkstation {
jump filter_INPUT_POLICIES_pre
jump filter_IN_FedoraWorkstation_pre
jump filter_IN_FedoraWorkstation_log
jump filter_IN_FedoraWorkstation_deny
jump filter_IN_FedoraWorkstation_allow
jump filter_IN_FedoraWorkstation_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx admin-prohibited
}
chain filter_IN_FedoraWorkstation_pre {
}
chain filter_IN_FedoraWorkstation_log {
}
chain filter_IN_FedoraWorkstation_deny {
}
chain filter_IN_FedoraWorkstation_allow {
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 22 ct state { new, untracked } accept
udp dport 137 ct helper set "helper-netbios-ns-udp"
udp dport 137 ct state { new, untracked } accept
udp dport 138 ct state { new, untracked } accept
ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
udp dport 1025-65535 ct state { new, untracked } accept
tcp dport 1025-65535 ct state { new, untracked } accept
}
chain filter_IN_FedoraWorkstation_post {
}
chain nat_POST_FedoraWorkstation {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_FedoraWorkstation_pre
jump nat_POST_FedoraWorkstation_log
jump nat_POST_FedoraWorkstation_deny
jump nat_POST_FedoraWorkstation_allow
jump nat_POST_FedoraWorkstation_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_FedoraWorkstation_pre {
}
chain nat_POST_FedoraWorkstation_log {
}
chain nat_POST_FedoraWorkstation_deny {
}
chain nat_POST_FedoraWorkstation_allow {
}
chain nat_POST_FedoraWorkstation_post {
}
chain filter_FWD_FedoraWorkstation {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_FedoraWorkstation_pre
jump filter_FWD_FedoraWorkstation_log
jump filter_FWD_FedoraWorkstation_deny
jump filter_FWD_FedoraWorkstation_allow
jump filter_FWD_FedoraWorkstation_post
jump filter_FORWARD_POLICIES_post
reject with icmpx admin-prohibited
}
chain filter_FWD_FedoraWorkstation_pre {
}
chain filter_FWD_FedoraWorkstation_log {
}
chain filter_FWD_FedoraWorkstation_deny {
}
chain filter_FWD_FedoraWorkstation_allow {
}
chain filter_FWD_FedoraWorkstation_post {
}
chain nat_PRE_FedoraWorkstation {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_FedoraWorkstation_pre
jump nat_PRE_FedoraWorkstation_log
jump nat_PRE_FedoraWorkstation_deny
jump nat_PRE_FedoraWorkstation_allow
jump nat_PRE_FedoraWorkstation_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_FedoraWorkstation_pre {
}
chain nat_PRE_FedoraWorkstation_log {
}
chain nat_PRE_FedoraWorkstation_deny {
}
chain nat_PRE_FedoraWorkstation_allow {
}
chain nat_PRE_FedoraWorkstation_post {
}
chain mangle_PRE_FedoraWorkstation {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_FedoraWorkstation_pre
jump mangle_PRE_FedoraWorkstation_log
jump mangle_PRE_FedoraWorkstation_deny
jump mangle_PRE_FedoraWorkstation_allow
jump mangle_PRE_FedoraWorkstation_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_FedoraWorkstation_pre {
}
chain mangle_PRE_FedoraWorkstation_log {
}
chain mangle_PRE_FedoraWorkstation_deny {
}
chain mangle_PRE_FedoraWorkstation_allow {
}
chain mangle_PRE_FedoraWorkstation_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_IN_docker {
jump filter_INPUT_POLICIES_pre
jump filter_IN_docker_pre
jump filter_IN_docker_log
jump filter_IN_docker_deny
jump filter_IN_docker_allow
jump filter_IN_docker_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_docker_pre {
}
chain filter_IN_docker_log {
}
chain filter_IN_docker_deny {
}
chain filter_IN_docker_allow {
}
chain filter_IN_docker_post {
}
chain nat_POST_docker {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_docker_pre
jump nat_POST_docker_log
jump nat_POST_docker_deny
jump nat_POST_docker_allow
jump nat_POST_docker_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_docker_pre {
}
chain nat_POST_docker_log {
}
chain nat_POST_docker_deny {
}
chain nat_POST_docker_allow {
}
chain nat_POST_docker_post {
}
chain filter_FWD_docker {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_docker_pre
jump filter_FWD_docker_log
jump filter_FWD_docker_deny
jump filter_FWD_docker_allow
jump filter_FWD_docker_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_docker_pre {
}
chain filter_FWD_docker_log {
}
chain filter_FWD_docker_deny {
}
chain filter_FWD_docker_allow {
oifname "docker0" accept
}
chain filter_FWD_docker_post {
}
chain nat_PRE_docker {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_docker_pre
jump nat_PRE_docker_log
jump nat_PRE_docker_deny
jump nat_PRE_docker_allow
jump nat_PRE_docker_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_docker_pre {
}
chain nat_PRE_docker_log {
}
chain nat_PRE_docker_deny {
}
chain nat_PRE_docker_allow {
}
chain nat_PRE_docker_post {
}
chain mangle_PRE_docker {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_docker_pre
jump mangle_PRE_docker_log
jump mangle_PRE_docker_deny
jump mangle_PRE_docker_allow
jump mangle_PRE_docker_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_docker_pre {
}
chain mangle_PRE_docker_log {
}
chain mangle_PRE_docker_deny {
}
chain mangle_PRE_docker_allow {
}
chain mangle_PRE_docker_post {
}
}
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 4 bytes 230 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 22340 bytes 10759965 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 42 bytes 3674 jump DOCKER
}
}
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2
counter packets 98 bytes 8062 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 15 bytes 956 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 98 bytes 8062 jump DOCKER-USER
counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
iifname "br0" counter packets 70 bytes 5880 accept
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
iifname "br0" counter packets 0 bytes 0 accept
iifname "br0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 98 bytes 8062 return
}
}
그래서 이것이 아래의 IP 필터와 관련이 있는 것 같습니다.
➜ sudo nft list table ip filter
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2
counter packets 98 bytes 8062 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 15 bytes 956 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 98 bytes 8062 jump DOCKER-USER
counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
iifname "br0" counter packets 70 bytes 5880 accept
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
iifname "br0" counter packets 0 bytes 0 accept
iifname "br0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 98 bytes 8062 return
}
}
답변1
IPv4에 대한 참조를 제한하겠습니다(IPv6 또는 ARP도 영향을 받지만 OP는 IPv6를 사용하지 않으며 ARP에 대한 기본 방화벽이 없습니다).
루스트어바웃의존하고로드커널 모듈br_netfilter동일한 LAN에 있는 두 컨테이너 사이에서도 컨테이너 격리를 적절하게 제어합니다.
이로 인해 Netfilter가 IPv4 후크를 호출하게 됩니다.브리지된IPv4 유형의 프레임. 이것이 문서화되어 있지만iptables,nftables동일한 Netfilter API와 해당 IPv4 후크(따라서 ip순수 IPv4 제품군 및 inet하이브리드 IPv4+IPv6 제품군)를 사용하면 동일한 영향을 받습니다. 결과는 아래와 같습니다.
완전히 로드되면 br_netfilter,iptables그리고nftablesIPv4 네트워크 계층(녹색 영역의 녹색 상자)에서 일반적으로 사용되는 IPv4 구성 요소(작은 녹색 상자)는 브리지 링크 계층의 경우(파란색 영역의 녹색 상자)에도 사용됩니다.
그래서 브리지액자방화벽으로 보호됨iptables필터/FORWARD 체인. OP는 일반적으로 필요하지 않은 작업을 수행했습니다. br_netfilter브리지된 프레임은 iptables의 필터/전달을 통과하지 않습니다.
sudo iptables -A FORWARD -i br0 -j ACCEPT
이를 통해 FORWARD 체인에서 Docker가 설치한 기본 DROP 정책을 우회할 수 있습니다.브릿지 프레임. 실제로 Docker가 등장하면 DOCKER-USER대신 이 규칙을 체인에 삽입(추가가 아님)해야 합니다.
sudo iptables -I DOCKER-USER -i br0 -j ACCEPT
그러나 동일한 작업을 수행하는 다른 후크에 의해 방화벽이 제한됩니다. 여기서는 순수합니다.nftables이 표를 사용하여 Firewalld에 의해 설치됩니다 inet firewalld. 이 부분은 브리지 패킷을 거부합니다.
table inet firewalld {
...
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
...
reject with icmpx admin-prohibited
}
마지막으로 패킷은 첫 번째(iptables) 전달 후크가 있지만 두 번째 후크에서는 거부되었습니다(Firewalld의nftables) 프론트 후크.
iptables여기에서는 (OP의 명령에 추가로) 루트로 수행하고 다음을 사용하십시오.nftables:
nft insert rule inet firewalld filter_FORWARD iifname br0 oifname br0 accept
두 번째 후크의 프레임도 규칙이 재정의될 때까지 허용됩니다. 이 설정은 Firewalld의 자체 구성에 추가되어야 합니다.
Firewalld가 OP 설정으로 변경된 Fedora 37 컨테이너(그리고 br_netfilter호스트에 로드된 모듈)에서 테스트하는 방법은 다음과 같습니다. Firewalld가 인터페이스에 대한 전달 허용 규칙을 추가 br0하고 핑이 작동하도록 하는 방법은 다음과 같습니다.
firewall-cmd --zone=FedoraWorkstation --remove-interface=br0
firewall-cmd --zone=FedoraWorkstation --remove-interface=br0 --permanent
firewall-cmd --zone=trusted --add-interface=br0
firewall-cmd --zone=trusted --add-interface=br0 --permanent
적절한 보안 규칙이 있는 일부 사용자 지정 영역을 사용해야 할 수도 있습니다.
일부 Stack Exchange 링크에서 관련 Docker 질문에 답변했습니다.