SMS*_*SMS 6 firewall iptables container docker nftables
在 Debian 10 buster 上,我遇到了 docker 容器无法 ping 通 docker 主机甚至 docker 网桥接口的问题,但能够访问互联网。
允许访问(如此处相关问题中所示)并不能解决我的情况。似乎与 iptables/nftables 相关,如果我能首先弄清楚如何记录错误,我可能可以弄清楚该怎么做。
DOCKER-USER我在和中都输入了日志规则INPUT,
nft insert rule ip filter DOCKER-USER counter log但它们都显示记录了 0 个数据包。
/var/log/kern.log不显示任何防火墙相关信息,journalctl -k.
使用该系统查看防火墙活动的新方法如何nftables?
nft list ip table filter
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
ct state invalid counter packets 80 bytes 3200 drop
iifname "vif*" meta l4proto udp udp dport 68 counter packets 0 bytes 0 drop
ct state related,established counter packets 9479197 bytes 17035404271 accept
iifname "vif*" meta l4proto icmp counter packets 0 bytes 0 accept
iifname "lo" counter packets 9167 bytes 477120 accept
iifname "vif*" counter packets 0 bytes 0 reject with icmp type host-prohibited
counter packets 28575 bytes 1717278 drop
counter packets 0 bytes 0 log
counter packets 0 bytes 0 log
iifname "docker0" counter packets 0 bytes 0 accept
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
counter packets 880249 bytes 851779418 jump DOCKER-ISOLATION-STAGE-1
oifname "br-cc7b89b40bee" ct state related,established counter packets 7586 bytes 14719677 accept
oifname "br-cc7b89b40bee" counter packets 0 bytes 0 jump DOCKER
iifname "br-cc7b89b40bee" oifname != "br-cc7b89b40bee" counter packets 5312 bytes 2458488 accept
iifname "br-cc7b89b40bee" oifname "br-cc7b89b40bee" counter packets 0 bytes 0 accept
oifname "br-d41d1510d330" ct state related,established counter packets 8330 bytes 7303256 accept
oifname "br-d41d1510d330" counter packets 0 bytes 0 jump DOCKER
iifname "br-d41d1510d330" oifname != "br-d41d1510d330" counter packets 7750 bytes 7569465 accept
iifname "br-d41d1510d330" oifname "br-d41d1510d330" counter packets 0 bytes 0 accept
oifname "br-79fccb9a0478" ct state related,established counter packets 11828 bytes 474832 accept
oifname "br-79fccb9a0478" counter packets 11796 bytes 707760 jump DOCKER
iifname "br-79fccb9a0478" oifname != "br-79fccb9a0478" counter packets 7 bytes 526 accept
iifname "br-79fccb9a0478" oifname "br-79fccb9a0478" counter packets 11796 bytes 707760 accept
counter packets 1756295 bytes 1727495359 jump DOCKER-USER
oifname "docker0" ct state related,established counter packets 1010328 bytes 1597833795 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 284235 bytes 16037499 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 drop
ct state related,established counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump QBS-FORWARD
iifname "vif*" oifname "vif*" counter packets 0 bytes 0 drop
iifname "vif*" counter packets 0 bytes 0 accept
counter packets 0 bytes 0 drop
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
chain QBS-FORWARD {
}
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "br-cc7b89b40bee" oifname != "br-cc7b89b40bee" counter packets 5312 bytes 2458488 jump DOCKER-ISOLATION-STAGE-2
iifname "br-d41d1510d330" oifname != "br-d41d1510d330" counter packets 7750 bytes 7569465 jump DOCKER-ISOLATION-STAGE-2
iifname "br-79fccb9a0478" oifname != "br-79fccb9a0478" counter packets 7 bytes 526 jump DOCKER-ISOLATION-STAGE-2
iifname "docker0" oifname != "docker0" counter packets 590138 bytes 34612496 jump DOCKER-ISOLATION-STAGE-2
counter packets 1808904 bytes 1760729363 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "br-cc7b89b40bee" counter packets 0 bytes 0 drop
oifname "br-d41d1510d330" counter packets 0 bytes 0 drop
oifname "br-79fccb9a0478" counter packets 0 bytes 0 drop
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 644929 bytes 74784737 return
}
chain DOCKER-USER {
counter packets 0 bytes 0 log
iifname "docker0" counter packets 305903 bytes 18574997 accept
counter packets 1450392 bytes 1708920362 return
}
}
您可以用来nftrace跟踪数据包流。它非常详细,但不会进入内核日志,而是通过多播 netlink 套接字分发(即,如果没有任何东西监听它们,则跟踪只会进入“/dev/null”)。
如果您确实想跟踪所有内容,请以低优先级跟踪预路由和输出。最好使用单独的表,因为您显示的nft list ip table filter实际上是具有兼容性 xt 匹配层 API 的iptables-over-nftables,并且不应该被篡改(但可以安全地沿着跟踪使用)。此外,您还应该知道 iptables 可能还有其他表,例如nat表。
traceall.nft因此,使用加载的文件中的规则集nft -f traceall.nft:
table ip traceall
delete table ip traceall
table ip traceall {
chain prerouting {
type filter hook prerouting priority -350; policy accept;
meta nftrace set 1
}
chain output {
type filter hook output priority -350; policy accept;
meta nftrace set 1
}
}
您现在可以使用以下命令跟踪这些(非常详细的)IPv4 跟踪:
nft monitor trace
如果在容器内执行此操作(日志目标通常不是这种情况),这甚至会起到相同的作用。
您可以在其他地方激活这些跟踪,或者在激活它们之前将条件放在稍后优先级的规则中,以避免跟踪所有钩子/链。遵循此示意图将有助于理解事件的顺序:Netfilter 和通用网络中的数据包流。
如果选择在iptables中使用等效-j TRACE目标,请另请参阅 man for ,因为iptables-over-nftables会改变其行为(与iptables-legacy相比)。xtables-monitor
当我回答OP的问题时,以下是关于问题和日志问题的疯狂猜测:
如果 Docker 本身在容器中运行,则日志可能不可用。它们可以被主机和所有允许查询内核消息的容器使用sysctl -w net.netfilter.nf_log_all_netns=1,因为内核消息没有命名空间实例。
ip filter INPUT中的日志规则的计数器为零,而带有drop语句的前一个规则的计数器不是零。这意味着日志规则制定得太晚了:在drop之后。日志规则(或者更确切地说iptables的)应该插入到最终的drop语句之前,而不是附加在永远无法到达的位置之后。-j LOG
关于 Docker 的唯一输入规则是iifname "docker0" counter packets 0 bytes 0 accept。如果容器不在默认的 Docker 网络上,则没有规则允许它们到达主机。
尝试添加一条规则来测试这一点。确保结果插入到删除规则之前。使用iptables ,避免添加可能与iptables-over-nftables不兼容的nftables规则:
iptables -I INPUT 8 -i "br-*" -j ACCEPT