绿联nas防火墙导致docker网络无法互通
问题描述
- 设备:绿联nas dxp4800
- 系统:ugnas pro
绿联新系统在12月份更新后,原本用nginx代理的alist,青龙等服务全都连接不上,在ugnas系统防火墙设置如下:
![]()
对外只通过80端口,其他docker服务都只能通过nginx反代访问,系统更新前一直都没问题。
问题排查
经过反复排查发现关闭防火墙后才能打开,ssh登入nas系统后查看iptable,
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18M 19G DOCKER-USER all -- any any anywhere anywhere
.....
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
19M 20G UG_FORWARD all -- any any anywhere anywhere
300K 21M ACCEPT all -- !docker0 !docker0 anywhere anywhere
2079 553K RETURN all -- any any anywhere anywhere
......
Chain UG_FORWARD (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
64 4737 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 RETURN tcp -- any any anywhere anywhere multiport dports 29999,29443
0 0 RETURN tcp -- any any anywhere anywhere multiport dports ssh,20022
0 0 RETURN tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
0 0 RETURN tcp -- any any anywhere anywhere multiport dports 137:netbios-ssn
0 0 RETURN udp -- any any anywhere anywhere multiport dports 80,https
2 128 RETURN tcp -- any any anywhere anywhere multiport dports http,https
0 0 RETURN udp -- any any anywhere anywhere multiport dports 20000:29999
0 0 RETURN tcp -- any any anywhere anywhere multiport dports 20000:29999
200 12600 DROP all -- any any anywhere anywhere
注意绿联防火墙规则最后的DROP,导致后面的docker规则被跳过
问题解决
知道原因后,我们只需在绿联防火墙设置中添加一条新规则,允许网桥内所属网段的ip(可以在docker网络中查看网桥网段)进行通信
之后容器之间网络就可以恢复通信了
浙公网安备 33010602011771号