Question

Я пытаюсь открыть Inte rnet приложение, работающее в контейнере docker (битовая защита). Я использую NGINX как RP, который «НЕ» работает в контейнере docker, а непосредственно на хосте. Контейнер работает следующим образом (0.0.0.0:8005->80/tcp). Я могу получить доступ к контейнеру внутри LAN с помощью http://ip_host: 8005 без проблем (так что docker cont. Работает нормально).

Nginx соответствующий код для предоставления Int enet следующий:

`

server {
listen 5555 ssl;
server_name domain.dom.com ;
fastcgi_param domain.dom.com $host;
autoindex off;

ssl_certificate /etc/letsencrypt/live/domain.dom.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.dom.com/privkey.pem;
ssl off;
ssl_session_cache  builtin:1000  shared:SSL:10m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

access_log            /var/log/nginx/access.log;
error_log            /var/log/nginx/error.log;

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
return 444;
}

if ($host !~ ^(domain.dom.com)$ ) {
return 444;
}

if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
{
return 403;
}

location / {
proxy_set_header        Host $host;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto $scheme;
proxy_pass              http://192.168.1.251:8005;
proxy_read_timeout  90;
}
}

`

Моя проблема в том, что я не могу получить доступ к контейнерному приложению из Inte rnet (по https://domain.dom.com: 5555 ). Я всегда получаю от сервера NGINX код ошибки 504 (так, сервер TimeOut). Что случилось? Как я могу исследовать глубже? С уважением

PS Чтобы прояснить, на одном и том же RP я публикую другие сервисы (через разные порты, например, NodeRed), и все работает нормально.

ЖУРНАЛЫ:

`

2020/08/06 12:01:16 [debug] 12025#12025: accept on 0.0.0.0:5555, ready: 0
2020/08/06 12:01:16 [debug] 12025#12025: posix_memalign: 01288710:256 @16
2020/08/06 12:01:16 [debug] 12025#12025: *1 accept: X.X.X.X:52889 fd:14
2020/08/06 12:01:16 [debug] 12025#12025: *1 event timer add: 14: 60000:73519165
2020/08/06 12:01:16 [debug] 12025#12025: *1 reusable connection: 1
2020/08/06 12:01:16 [debug] 12025#12025: *1 epoll add event: fd:14 op:1 ev:80002001
2020/08/06 12:01:16 [debug] 12025#12025: *1 http check ssl handshake
2020/08/06 12:01:16 [debug] 12025#12025: *1 http recv(): 1
2020/08/06 12:01:16 [debug] 12025#12025: *1 https ssl handshake: 0x16
2020/08/06 12:01:16 [debug] 12025#12025: *1 tcp_nodelay
2020/08/06 12:01:16 [debug] 12025#12025: *1 ssl get session: 52528FFC:32
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL server name: "domain.dom.com"
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL ALPN supported by client: h2
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL ALPN supported by client: http/1.1
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL ALPN selected: http/1.1
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL_do_handshake: -1
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL_get_error: 2
2020/08/06 12:01:16 [debug] 12025#12025: *1 reusable connection: 0
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL handshake handler: 0
2020/08/06 12:01:16 [debug] 12025#12025: *1 ssl new session: AE04A10F:32:153
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL_do_handshake: 1
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD"
2020/08/06 12:01:16 [debug] 12025#12025: *1 reusable connection: 1
2020/08/06 12:01:16 [debug] 12025#12025: *1 http wait request handler
2020/08/06 12:01:16 [debug] 12025#12025: *1 posix_memalign: 0128E970:256 @16
2020/08/06 12:01:16 [debug] 12025#12025: *1 malloc: 012E18E8:1024
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL_read: 382
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL_read: -1
2020/08/06 12:01:16 [debug] 12025#12025: *1 SSL_get_error: 2
2020/08/06 12:01:16 [debug] 12025#12025: *1 reusable connection: 0
2020/08/06 12:01:16 [debug] 12025#12025: *1 posix_memalign: 0128F700:4096 @16
2020/08/06 12:01:16 [debug] 12025#12025: *1 http process request line
2020/08/06 12:01:16 [debug] 12025#12025: *1 http request line: "GET / HTTP/1.1"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http uri: "/"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http args: ""
2020/08/06 12:01:16 [debug] 12025#12025: *1 http exten: ""
2020/08/06 12:01:16 [debug] 12025#12025: *1 http process request header line
2020/08/06 12:01:16 [debug] 12025#12025: *1 http header: "Host: domain.dom.com:5555"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http header: "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http header: "Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http header: "Accept-Encoding: gzip, deflate, br"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http header: "DNT: 1"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http header: "Connection: keep-alive"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http header: "Upgrade-Insecure-Requests: 1"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http header done
2020/08/06 12:01:16 [debug] 12025#12025: *1 event timer del: 14: 73519165
2020/08/06 12:01:16 [debug] 12025#12025: *1 generic phase: 0
2020/08/06 12:01:16 [debug] 12025#12025: *1 rewrite phase: 1
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script var
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script var: "GET"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script regex: "^(GET|HEAD|POST)$"
2020/08/06 12:01:16 [notice] 12025#12025: *1 "^(GET|HEAD|POST)$" matches "GET", client: X.X.X.X, server: domain.dom.com, request: "GET / HTTP/1.1", host: "domain.dom.com:5555"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script if
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script if: false
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script var
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script var: "domain.dom.com"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script regex: "^(domain.dom.com|montefato.homepc.it)$"
2020/08/06 12:01:16 [notice] 12025#12025: *1 "^(domain.dom.com)$" matches "domain.dom.com", client: X.X.X.X, server: domain.dom.com, request: "GET / HTTP/1.1", host: "domain.dom.com:5555"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script if
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script if: false
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script var
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script regex: "(babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen)"
2020/08/06 12:01:16 [notice] 12025#12025: *1 "(babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen)" does not match "", client: X.X.X.X, server: domain.dom.com, request: "GET / HTTP/1.1", host: "domain.dom.com:5555"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script if
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script if: false
2020/08/06 12:01:16 [debug] 12025#12025: *1 test location: ~ "/"
2020/08/06 12:01:16 [debug] 12025#12025: *1 using configuration "/"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http cl:-1 max:1048576
2020/08/06 12:01:16 [debug] 12025#12025: *1 rewrite phase: 3
2020/08/06 12:01:16 [debug] 12025#12025: *1 post rewrite phase: 4
2020/08/06 12:01:16 [debug] 12025#12025: *1 generic phase: 5
2020/08/06 12:01:16 [debug] 12025#12025: *1 generic phase: 6
2020/08/06 12:01:16 [debug] 12025#12025: *1 generic phase: 7
2020/08/06 12:01:16 [debug] 12025#12025: *1 access phase: 8
2020/08/06 12:01:16 [debug] 12025#12025: *1 access phase: 9
2020/08/06 12:01:16 [debug] 12025#12025: *1 access phase: 10
2020/08/06 12:01:16 [debug] 12025#12025: *1 access phase: 11
2020/08/06 12:01:16 [debug] 12025#12025: *1 post access phase: 12
2020/08/06 12:01:16 [debug] 12025#12025: *1 generic phase: 13
2020/08/06 12:01:16 [debug] 12025#12025: *1 generic phase: 14
2020/08/06 12:01:16 [debug] 12025#12025: *1 generic phase: 15
2020/08/06 12:01:16 [debug] 12025#12025: *1 http init upstream, client timer: 0
2020/08/06 12:01:16 [debug] 12025#12025: *1 epoll add event: fd:14 op:3 ev:80002005
2020/08/06 12:01:16 [debug] 12025#12025: *1 posix_memalign: 01317B60:4096 @16
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script copy: "Host"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script var: "domain.dom.com"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script copy: "X-Real-IP"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script var: "X.X.X.X"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script copy: "X-Forwarded-For"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script var: "X.X.X.X"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script copy: "X-Forwarded-Proto"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script var: "https"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script copy: "Connection"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script copy: "close"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script copy: ""
2020/08/06 12:01:16 [debug] 12025#12025: *1 http script copy: ""
2020/08/06 12:01:16 [debug] 12025#12025: *1 http proxy header: "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http proxy header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http proxy header: "Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http proxy header: "Accept-Encoding: gzip, deflate, br"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http proxy header: "DNT: 1"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http proxy header: "Upgrade-Insecure-Requests: 1"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http proxy header:
"GET / HTTP/1.0
Host: domain.dom.com
X-Real-IP: X.X.X.X
X-Forwarded-For: X.X.X.X
X-Forwarded-Proto: https
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1

"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http cleanup add: 01290650
2020/08/06 12:01:16 [debug] 12025#12025: *1 get rr peer, try: 2
2020/08/06 12:01:16 [debug] 12025#12025: *1 get rr peer, current: 012D43C0 -1
2020/08/06 12:01:16 [debug] 12025#12025: *1 stream socket 15
2020/08/06 12:01:16 [debug] 12025#12025: *1 epoll add connection: fd:15 ev:80002005
2020/08/06 12:01:16 [debug] 12025#12025: *1 connect to 192.168.1.251:8005, fd:15 #2
2020/08/06 12:01:16 [debug] 12025#12025: *1 http upstream connect: -2
2020/08/06 12:01:16 [debug] 12025#12025: *1 posix_memalign: 0128E7F0:128 @16
2020/08/06 12:01:16 [debug] 12025#12025: *1 event timer add: 15: 60000:73519255
2020/08/06 12:01:16 [debug] 12025#12025: *1 http finalize request: -4, "/?" a:1, c:2
2020/08/06 12:01:16 [debug] 12025#12025: *1 http request count:2 blk:0
2020/08/06 12:01:16 [debug] 12025#12025: *1 http run request: "/?"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http upstream check client, write event:1, "/"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http upstream request: "/?"
2020/08/06 12:01:16 [debug] 12025#12025: *1 http upstream send request handler
2020/08/06 12:01:16 [debug] 12025#12025: *1 http upstream send request
2020/08/06 12:01:16 [debug] 12025#12025: *1 http upstream send request body
2020/08/06 12:01:16 [debug] 12025#12025: *1 chain writer buf fl:1 s:455
2020/08/06 12:01:16 [debug] 12025#12025: *1 chain writer in: 01290680
2020/08/06 12:01:16 [debug] 12025#12025: *1 writev: 455 of 455
2020/08/06 12:01:16 [debug] 12025#12025: *1 chain writer out: 00000000
2020/08/06 12:01:16 [debug] 12025#12025: *1 event timer del: 15: 73519255
2020/08/06 12:01:16 [debug] 12025#12025: *1 event timer add: 15: 90000:73549265`

При дополнительном устранении неполадок я обнаружил, что проблема связана с правилами iptables. Если грипп sh все норм, все работает.

Вот мой конф (iptableas). Кто-нибудь может мне помочь?

`

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       24  5556 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blacklist src
2        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 23,79 tcp flags:0x3F/0x02 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "PortScan >SYN scan trap:"
3        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x01 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "PortScan > FIN scan "
4        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "PortScan > XMAS-ALL scan "
5        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "PortScan > XMAS-PSH scan "
6        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "PortScan > XMAS scan "
7        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "PortScan > Null scan "
8        0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 6/hour burst 1 length 0:28 LOG flags 0 level 4 prefix "PortScan >0 length udp "
9        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 0:28 /* Drop UDP packet with no content */
10       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 state NEW /* Drop TCP connection not starting by SYN */
11       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
12       9   456 SYN-FLOOD  tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
13       0     0 DROP       all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
14       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x17
15       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
16       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
17    9966 1756K FIREWALL   all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     6293 5657K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2     6293 5657K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3     3342 2876K ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4      119  8743 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
5     2832 2772K ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
6        6  2196 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
7        0     0 ACCEPT     all  --  *      br-009dee4ec221  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
8        0     0 DOCKER     all  --  *      br-009dee4ec221  0.0.0.0/0            0.0.0.0/0           
9        0     0 ACCEPT     all  --  br-009dee4ec221 !br-009dee4ec221  0.0.0.0/0            0.0.0.0/0           
10       0     0 ACCEPT     all  --  br-009dee4ec221 br-009dee4ec221  0.0.0.0/0            0.0.0.0/0           
11       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blacklist src
12       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
13       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 8974 packets, 1356K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        2   168 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 state NEW,RELATED,ESTABLISHED
2        2   168 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0 state RELATED,ESTABLISHED
3        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID

Chain FIREWALL (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     8240 1068K ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2       98 10254 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0 state RELATED,ESTABLISHED
5        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 5/sec burst 5 state NEW,RELATED,ESTABLISHED
6        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3 state NEW
7        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11 state NEW
8        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 13 state NEW
9        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 14 state RELATED,ESTABLISHED
10       0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
11       0     0 DROP       all  --  *      *       10.0.0.0/8           0.0.0.0/0           
12       0     0 DROP       all  --  *      *       169.254.0.0/16       0.0.0.0/0           
13      89  7368 DROP       all  --  *      *       172.16.0.0/12        0.0.0.0/0           
14       0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0           
15       0     0 DROP       all  --  *      *       192.168.0.0/24       0.0.0.0/0           
16       0     0 DROP       all  --  *      *       192.168.10.0/24      0.0.0.0/0           
17       0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
18    1437  651K DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4         
19       0     0 DROP       all  --  *      *       240.0.0.0/5          0.0.0.0/0           
20       0     0 DROP       all  --  *      *       0.0.0.0/0            240.0.0.0/5         
21      14  5124 DROP       all  --  *      *       0.0.0.0/8            0.0.0.0/0           
22       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/8           
23       0     0 DROP       all  --  *      *       0.0.0.0/0            239.255.255.0/24    
24      34  6160 DROP       all  --  *      *       0.0.0.0/0            255.255.255.255     
25       0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 17
26       0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 13
27       0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
28       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x04/0x04 limit: avg 2/sec burst 2
29       2    88 TRUSTED_LAN  all  --  *      *       192.168.100.1        0.0.0.0/0           
30      49  7248 TRUSTED_LAN  all  --  *      *       192.168.1.0/24       0.0.0.0/0           
31       3   192 TRUSTED_WAN  all  --  *      *      !192.168.1.0/24       0.0.0.0/0           
32      45  7072 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain TRUSTED_LAN (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:57443 
2        0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:57444 
3        0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:514 
4        0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:1880 
5        4   176 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:1883
6        0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:9092 
7        0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:8086 
8        0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:3000 
9        0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:8888 
10       0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:25 
11       0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:9847 
12       0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:45001 
13       0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:45002 
14       0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:45003 
15       0     0 ACCEPT     tcp  --  wlan0  *       192.168.1.0/24       0.0.0.0/0            tcp dpt:45004 
16       2    88 ACCEPT     tcp  --  wlan0  *       192.168.100.1        0.0.0.0/0            tcp dpt:22

Chain TRUSTED_WAN (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        3   192 ACCEPT     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5555

Chain SYN-FLOOD (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        9   456 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 4
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        4   256 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "****DOCKER****"
2        6   312 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9000
3        0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8000
4       18   936 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.3           tcp dpt:80
5       37  1924 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.4           tcp dpt:80
6        0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.3           tcp dpt:53
7       52  3375 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.17.0.3           udp dpt:53

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     2832 2772K DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
2        0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-009dee4ec221 !br-009dee4ec221  0.0.0.0/0            0.0.0.0/0           
3     6293 5657K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      880  871K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "****DOCKER-USER****"
2     6293 5657K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
2        0     0 DROP       all  --  *      br-009dee4ec221  0.0.0.0/0            0.0.0.0/0           
3     2832 2772K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

`

Agiftel Longwave · Answer 1 · 07 августа 2020

Решено! Просто чтобы помочь кому-то другому, мне пришлось добавить следующие правила iptables в мою цепочку FIREWALL:

-A FIREWALL -s 172.17.0.0/16 -m comment --comment "**DOCKER** containers" -j ACCEPT

Итак, правая полная цепочка теперь выглядит следующим образом:

Chain FIREWALL (1 references) num pkts bytes target prot opt in out source destination 1 11911 1366K ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 126 13159 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 state RELATED,ESTABLISHED 5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 5/sec burst 5 state NEW,RELATED,ESTABLISHED 6 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW 7 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13 state NEW 9 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 14 state RELATED,ESTABLISHED 10 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 11 383 1402K ACCEPT all -- * * 172.17.0.0/16 0.0.0.0/0 /* **DOCKER** containers */ 12 0 0 DROP all -- * * 10.0.0.0/8 0.0.0.0/0 13 0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0 14 99 7847 DROP all -- * * 172.16.0.0/12 0.0.0.0/0 15 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 16 0 0 DROP all -- * * 192.168.0.0/24 0.0.0.0/0 17 0 0 DROP all -- * * 192.168.10.0/24 0.0.0.0/0 18 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 19 1928 878K DROP all -- * * 0.0.0.0/0 224.0.0.0/4 20 0 0 DROP all -- * * 240.0.0.0/5 0.0.0.0/0 21 0 0 DROP all -- * * 0.0.0.0/0 240.0.0.0/5 22 14 5124 DROP all -- * * 0.0.0.0/8 0.0.0.0/0 23 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/8 24 0 0 DROP all -- * * 0.0.0.0/0 239.255.255.0/24 25 27 4931 DROP all -- * * 0.0.0.0/0 255.255.255.255 26 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 17 27 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13 28 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 limit: avg 2/sec burst 2 30 1 44 TRUSTED_LAN all -- * * 192.168.100.1 0.0.0.0/0 31 140 13569 TRUSTED_LAN all -- * * 192.168.1.0/24 0.0.0.0/0 32 29 1848 TRUSTED_WAN all -- * * !192.168.1.0/24 0.0.0.0/0 33 136 13393 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Publi sh контейнерное приложение от Nginx обратного прокси

Пожалуйста, войдите или зарегистрируйтесь чтобы ответить на этот вопрос.

1 Ответ

Пожалуйста, войдите или зарегистрируйтесь что бы добавить комментарий.

Publi sh контейнерное приложение от Nginx обратного прокси

Пожалуйста, войдите или зарегистрируйтесь чтобы ответить на этот вопрос.

1 Ответ

Пожалуйста, войдите или зарегистрируйтесь что бы добавить комментарий.

Похожие темы