centos7 防火墙(firewalld)是打开的,然后没有开放 8002 端口,但这个端口的程序可以访问,请问还可以从哪里排查,是哪里的规则是打开的?

2022-06-09 16:02:36 +08:00
 xiaoyanbot

程序在 docker 里运行映射到宿主机的 8002 端口。 可以通过宿主机的 公网 IP:8002 正常访问到程序

netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      843/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      939/master          
tcp        0      0 0.0.0.0:8002            0.0.0.0:*               LISTEN      22206/docker-proxy  
tcp6       0      0 :::22                   :::*                    LISTEN      843/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      939/master          
tcp6       0      0 :::8002                 :::*                    LISTEN      22210/docker-proxy

防火墙是开启状态

# firewall-cmd --state
running

开放的规则里没有发现 8002 端口,但 WEB 程序的确可以访问

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

firewall-cmd --list-all --zone=docker
docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


# firewall-cmd --get-active-zones
docker
  interfaces: docker0
public
  interfaces: eth0

两个 zone ,docker 和 public 下面的 list ports 都是空的, 很奇怪。 请教是还可以查看哪里,可以看到是放行 8002 端口的? 还是说, 默认放行全部的端口吗?

968 次点击
所在节点    问与答
14 条回复
xiaoyanbot
2022-06-09 16:44:13 +08:00
刚才试验过了, 如果不是 docker-proxy 映射宿主机的端口, 默认是不通的。 是需要开端口的。

目前疑问就是: 是什么规则,让 docker-proxy 映射的端口,能通过防火墙的? 求教
Nitroethane
2022-06-09 16:58:32 +08:00
看看 trusted zone 里有没有 docker 创建的虚拟接口。docker 文档里有说 https://docs.docker.com/network/iptables/#integration-with-firewalld
kokutou
2022-06-09 17:03:15 +08:00
public (active)
target: default


docker (active)
target: ACCEPT


区别在这里。
default 大致相当于 reject
cslive
2022-06-09 18:01:41 +08:00
docker 自动放行防火墙的,可以看下 iptables
xiaoyanbot
2022-06-09 18:15:44 +08:00
@cslive 没有安装 iptables 服务呀, 请问这么看呀?
m4d3bug
2022-06-09 18:16:07 +08:00
4 楼正解

无视系统防火墙的 docker - 博客 - binsite
https://www.binss.me/blog/docker-pass-through-system-firewall/
xiaoyanbot
2022-06-09 18:16:12 +08:00
@Nitroethane 请教如何看 trusted zone
xiaoyanbot
2022-06-09 18:26:39 +08:00
@cslive

~~~

# iptables -L DOCKER
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:teradataordbms

~~~

放行的是 172.17.0.2
但是宿主机的 docker ip 是 172.17.0.1 呀
Nitroethane
2022-06-09 19:50:36 +08:00
@xiaoyanbot #8 firewall-cmd --zone=trusted --list-all
文档里写的清清楚楚,只要你看了就不会再问了:

If you are running Docker version 20.10.0 or higher with firewalld on your system with --iptables enabled, Docker automatically creates a firewalld zone called docker and inserts all the network interfaces it creates (for example, docker0) into the docker zone to allow seamless networking.

Consider running the following firewalld command to remove the docker interface from the zone.
Nitroethane
2022-06-09 19:51:42 +08:00
@Nitroethane #9 --zone=trusted 应该改成 --zone=docker
Nitroethane
2022-06-09 19:53:58 +08:00
@Nitroethane #9 不确定 docker 在哪个 zone 的话可以用 firewall-cmd --list-all-zones 命令列出所有的 zone:

public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: cockpit dhcpv6-client ssh
ports: 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 4240/tcp 8472/udp 4244/tcp
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
7RTDKSAK
2022-06-10 10:13:13 +08:00
docker run 时最好明确指定端口映射是监听在 127.0.0.0 还是 0.0.0.0 ,你不明确指定那 docker 就会帮你指定为 0.0.0.0 ,别省这点儿力气
xiaoyanbot
2022-06-10 12:14:49 +08:00
@7RTDKSAK 绑定 127.0.0.1:8002 , 如果需要外网访问的时候, 是不是还得开一个 nginx 之类的做转发?
7RTDKSAK
2022-06-10 12:33:35 +08:00
@xiaoyanbot 对啊

但是你既然需要从外网访问,那为啥要监听在 127.0.0.1 呢

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/858454

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX