问题描述
- 设备:绿联nas dxp4800
- 系统:ugnas pro
绿联新系统在12月份更新后,原本用nginx代理的alist,青龙等服务全都连接不上,在ugnas系统防火墙设置如下:
对外只通过80端口,其他docker服务都只能通过nginx反代访问,系统更新前一直都没问题。
问题排查
经过反复排查发现关闭防火墙后才能打开,ssh登入nas系统后查看iptable,
Chain FORWARD (policy DROP 0 packets, 0 bytes)pkts bytes target prot opt in out source destination18M 19G DOCKER-USER all -- any any anywhere anywhere.....
Chain DOCKER-USER (1 references)pkts bytes target prot opt in out source destination19M 20G UG_FORWARD all -- any any anywhere anywhere300K 21M ACCEPT all -- !docker0 !docker0 anywhere anywhere2079 553K RETURN all -- any any anywhere anywhere
......
Chain UG_FORWARD (2 references)pkts bytes target prot opt in out source destination0 0 ACCEPT all -- lo any anywhere anywhere64 4737 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED0 0 RETURN tcp -- any any anywhere anywhere multiport dports 29999,294430 0 RETURN tcp -- any any anywhere anywhere multiport dports ssh,200220 0 RETURN tcp -- any any anywhere anywhere tcp dpt:microsoft-ds0 0 RETURN tcp -- any any anywhere anywhere multiport dports 137:netbios-ssn0 0 RETURN udp -- any any anywhere anywhere multiport dports 80,https2 128 RETURN tcp -- any any anywhere anywhere multiport dports http,https0 0 RETURN udp -- any any anywhere anywhere multiport dports 20000:299990 0 RETURN tcp -- any any anywhere anywhere multiport dports 20000:29999200 12600 DROP all -- any any anywhere anywhere
注意绿联防火墙规则最后的DROP,导致后面的docker规则被跳过
问题解决
知道原因后,我们只需在绿联防火墙设置中添加一条新规则,允许网桥内所属网段的ip(可以在docker网络中查看网桥网段)进行通信
之后容器之间网络就可以恢复通信了
