【wudingjian】 在 https://github.com/istoreos/istoreos/issues/2133 发布:
一、系统情况:
型号 | FastRhino R68s
架构 | ARMv8 Processor rev 0
目标平台 | rockchip/rk35xx
固件版本 | iStoreOS 22.03.7 2024122712 / LuCI istoreos-22.03 branch git-24.339.46321-5f9267c
内核版本 | 5.10.221
二、具体问题:容器内部无法连接外网
1、拨号上网正常后,默认系统配置(接口、防火墙等均是默认配置)
举例其中一个容器:DDNS-GO
version: '3.1'
services:
ddns-go:
image: jeessy/ddns-go
platform: linux/arm64/v8
container_name: ddns-go
restart: always
ports:
- '19876:9876'
volumes:
- ./ddns-go:/root
networks:
- app_net
networks:
app_net:
external: true
2、安装了1panle,容器起来后,容器内部无法连接外网,容器内可以ping通主机ip192.168.20.1,但无法ping通docker默认网关172.17.0.1 也无法ping通外网 。
(1)控制台,容器内部 ping结果如下:
/app # ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1): 56 data bytes
^C
--- 172.17.0.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
/app # ping 172.18.0.1
PING 172.18.0.1 (172.18.0.1): 56 data bytes
64 bytes from 172.18.0.1: seq=0 ttl=64 time=0.789 ms
64 bytes from 172.18.0.1: seq=1 ttl=64 time=1.061 ms
^C
--- 172.18.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.789/0.925/1.061 ms
/app # ping 172.19.0.1
PING 172.19.0.1 (172.19.0.1): 56 data bytes
64 bytes from 172.19.0.1: seq=0 ttl=64 time=1.486 ms
64 bytes from 172.19.0.1: seq=1 ttl=64 time=0.892 ms
^C
--- 172.19.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.892/1.189/1.486 ms
/app # ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: seq=0 ttl=64 time=0.603 ms
64 bytes from 192.168.20.1: seq=1 ttl=64 time=0.832 ms
^C
--- 192.168.20.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.603/0.717/0.832 ms
/app # ping baidu.com
PING baidu.com (39.156.66.10): 56 data bytes
^C
--- baidu.com ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss
/app # ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114): 56 data bytes
^C
--- 114.114.114.114 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
/app # ip route
default via 172.19.0.1 dev eth0
172.19.0.0/16 dev eth0 scope link src 172.19.0.3
(2)疑问:ping 外网被阻止了,是istoreos系统默认阻止,还是安装了1panle后,被1panle 默认阻止了?
备注:该容器DDNS-GO,同一内网N1盒子上运行,没有此问题,可以ping通外网
3、运行后显示未获得ipv4
三、请教一下,是什么原因,哪里需要修改?
目前其余都是系统默认配置,请各位大佬指点,如有需要我再补充截图
路由表如下(部分隐私端口和ip被*代替)
root@iStoreOS:~# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 261 packets, 24933 bytes)
pkts bytes target prot opt in out source destination
21 7303 SS_SPEC_WAN_AC tcp -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */
274 26473 prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
89 13267 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
67 3426 zone_wan_prerouting all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_prerouting all -- eth0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_docker_prerouting all -- docker0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 34 packets, 2178 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 49 packets, 3541 bytes)
pkts bytes target prot opt in out source destination
25 1287 SS_SPEC_WAN_AC tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */
Chain POSTROUTING (policy ACCEPT 26 packets, 2158 bytes)
pkts bytes target prot opt in out source destination
188 18792 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
21 1818 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
161 16594 zone_wan_postrouting all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_postrouting all -- * eth0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_docker_postrouting all -- * docker0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
Chain MINIUPNPD-POSTROUTING (2 references)
pkts bytes target prot opt in out source destination
Chain SS_SPEC_WAN_AC (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set whitelist dst
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bplan src
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fplan src
5 292 RETURN tcp -- * * 0.0.0.0/0 118.*.*.* tcp dpt:!53
17 713 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_wan_ac dst
16 7065 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set china dst
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gmlan src ! match-set china dst
8 520 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SS_SPEC_WAN_FW (4 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 RETURN all -- * * 0.0.0.0/0 240.0.0.0/4
7 468 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234
Chain postrouting_docker_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_docker_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_docker_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_docker_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom docker postrouting rule chain */
Chain zone_docker_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_docker_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom docker prerouting rule chain */
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
21 1818 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
0 0 SNAT tcp -- * * 192.168.20.0/24 192.168.20.1 tcp dpt:*/* !fw3: vps (reflection) */ to:192.168.20.1
0 0 SNAT udp -- * * 192.168.20.0/24 192.168.20.1 udp dpt:* /* !fw3: vps (reflection) */ to:192.168.20.1
0 0 SNAT tcp -- * * 192.168.20.0/24 192.168.20.1 tcp dpt:* /* !fw3: iptv (reflection) */ to:192.168.20.1
0 0 SNAT udp -- * * 192.168.20.0/24 192.168.20.1 udp dpt:* /* !fw3: iptv (reflection) */ to:192.168.20.1
0 0 SNAT tcp -- * * 192.168.20.0/24 192.168.20.1 tcp dpt:* /* !fw3: usb (reflection) */ to:192.168.20.1
0 0 SNAT udp -- * * 192.168.20.0/24 192.168.20.1 udp dpt:*/* !fw3: usb (reflection) */ to:192.168.20.1
0 0 SNAT tcp -- * * 192.168.20.0/24 192.168.20.2 tcp dpt:* /* !fw3: Drive (reflection) */ to:192.168.20.1
0 0 SNAT udp -- * * 192.168.20.0/24 192.168.20.2 udp dpt:* /* !fw3: Drive (reflection) */ to:192.168.20.1
0 0 MASQUERADE all -- docker0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DockerNAT */
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
89 13267 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
0 0 DNAT tcp -- * * 192.168.20.0/24 114.232*.* tcp dpt:* /* !fw3: vps (reflection) */ to:192.168.20.1:*
0 0 DNAT udp -- * * 192.168.20.0/24 114.232.*.* udp dpt:* /* !fw3: vps (reflection) */ to:192.168.20.1:*
0 0 DNAT tcp -- * * 192.168.20.0/24 114.232.*.* tcp dpt:*/* !fw3: iptv (reflection) */ to:192.168.20.1:*
0 0 DNAT udp -- * * 192.168.20.0/24 114.232.*.* udp dpt:* /* !fw3: iptv (reflection) */ to:192.168.20.1:*
0 0 DNAT tcp -- * * 192.168.20.0/24 114.232.*.* tcp dpt:* /* !fw3: usb (reflection) */ to:192.168.20.1:*
0 0 DNAT udp -- * * 192.168.20.0/24 114.232.*.* udp dpt:* /* !fw3: usb (reflection) */ to:192.168.20.1:*
0 0 DNAT tcp -- * * 192.168.20.0/24 114.232.*.* tcp dpt:* /* !fw3: Drive (reflection) */ to:192.168.20.2:*
0 0 DNAT udp -- * * 192.168.20.0/24 114.232.*.* udp dpt:* /* !fw3: Drive (reflection) */ to:192.168.20.2:*
Chain zone_wan_postrouting (2 references)
pkts bytes target prot opt in out source destination
161 16594 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
159 16456 MINIUPNPD-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
159 16456 MINIUPNPD-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
161 16594 FULLCONENAT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (2 references)
pkts bytes target prot opt in out source destination
67 3426 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:* /* !fw3: vps */ to:192.168.20.1:*
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:* /* !fw3: vps */ to:192.168.20.1:*
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:* /* !fw3: iptv */ to:192.168.20.1:*
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:* /* !fw3: iptv */ to:192.168.20.1:*
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:* /* !fw3: usb */ to:192.168.20.1:*
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:* /* !fw3: usb */ to:192.168.20.1:*
3 180 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:* /* !fw3: Drive */ to:192.168.20.2:*
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:* /* !fw3: Drive */ to:192.168.20.2:*
64 3246 FULLCONENAT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
60 2597 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
60 2597 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0