Docker 容器间通信（TCP和UDP）将网关IP显示为源IP_Docker_Networking_Communication

Docker 容器间通信（TCP和UDP）将网关IP显示为源IP

docker networking

Docker 容器间通信（TCP和UDP）将网关IP显示为源IP,docker,networking,communication,Docker,Networking,Communication,我有一个docker主机，docker版本为18.09.2。当我尝试在目标主机上的两个容器之间使用TCP通信时，源IP总是显示网关的IP，而不是实际的源主机。例如：集装箱1（IP为172.17.0.2）：集装箱2（IP为172.17.0.3）：在container1上，启动到container2的TCP连接： [h1 #] nc 172.17.0.3 9000 container1上的tcpdump显示预期的src和dst IP： [h1 #] tcpdump -nn -i any po

我有一个docker主机，docker版本为18.09.2。当我尝试在目标主机上的两个容器之间使用TCP通信时，源IP总是显示网关的IP，而不是实际的源主机。例如：

集装箱1（IP为172.17.0.2）：

集装箱2（IP为172.17.0.3）：

在container1上，启动到container2的TCP连接：

[h1 #] nc 172.17.0.3 9000

container1上的tcpdump显示预期的src和dst IP：

[h1 #] tcpdump -nn -i any port 9000                                                                                                                                                 
18:03:26.138787 IP 172.17.0.2.43244 > 172.17.0.3.9000: Flags [S], seq 218108783, win 29200, options [mss 1460,sackOK,TS val 172963671 ecr 0,nop,wscale 7], length 0
18:03:26.138886 IP 172.17.0.3.9000 > 172.17.0.2.43244: Flags [R.], seq 0, ack 218108784, win 0, length 0

但是，在container2上，src IP是网关：

[h2 #] tcpdump -nn -i any port 9000                                                                                                                                                  
18:03:26.138822 IP 172.17.0.1.43244 > 172.17.0.3.9000: Flags [S], seq 218108783, win 29200, options [mss 1460,sackOK,TS val 172963671 ecr 0,nop,wscale 7], length 0
18:03:26.138872 IP 172.17.0.3.9000 > 172.17.0.1.43244: Flags [R.], seq 0, ack 218108784, win 0, length 0

这是默认的网桥网络配置：

# docker network inspect bridge
[
    {
        "Name": "bridge",
        "Id": "d927b5b9a76fdc5ed562ae035730625cbc9edbb02f659a00ac0384214828d67b",
        "Created": "2020-08-10T01:55:54.480991622+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "3598edc19987680c208d8d540d4f774e2c68c7f4689611c845ccf94f99aeb156": {
                "Name": "h2",
                "EndpointID": "66e696e9fada081773ae577ae5367d7d5f4df3665a8a0e2be6318993a7b87807",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            },
            "7031102d30f669388b4938fa953172762ec3bfb3ab1a6422b53aa3b0857c85e8": {
                "Name": "h1",
                "EndpointID": "52b1ab4ce9a6bc5136db13c44bc9913fe31189863d44595d172373a222786c90",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

我尝试过使用不同的图像，但都有相同的结果。有什么想法吗

谢谢，洛杉矶附加我的iptables规则：

[docker_host #] iptables -n -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  -- !10.70.0.0/16         0.0.0.0/0
DROP       all  --  0.0.0.0/0           !10.70.0.0/16
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination
Chain FORWARD_direct (1 references)
target     prot opt source               destination

Chain FWDI_public (3 references)
target     prot opt source               destination
FWDI_public_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_public_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_public_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain FWDI_public_allow (1 references)
target     prot opt source               destination

Chain FWDI_public_deny (1 references)
target     prot opt source               destination

Chain FWDI_public_log (1 references)
target     prot opt source               destination

Chain FWDO_public (3 references)
target     prot opt source               destination
FWDO_public_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_public_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_public_allow  all  --  0.0.0.0/0            0.0.0.0/0

Chain FWDO_public_allow (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED

Chain FWDO_public_deny (1 references)
target     prot opt source               destination

Chain FWDO_public_log (1 references)
target     prot opt source               destination

Chain INPUT_ZONES (1 references)
target     prot opt source               destination
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain INPUT_direct (1 references)
target     prot opt source               destination

Chain IN_public (3 references)
target     prot opt source               destination
IN_public_log  all  --  0.0.0.0/0            0.0.0.0/0
IN_public_deny  all  --  0.0.0.0/0            0.0.0.0/0
IN_public_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)
target     prot opt source               destination

Chain IN_public_log (1 references)
target     prot opt source               destination

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

我在我这边复制，我没有体验到你描述的行为。你这边一定发生了一些非常有趣和奇怪的事情

#h1

上的

tcpdump

：

sh-4.4# tcpdump -nn -i any port 9000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:07:08.516964 IP 172.17.0.2.60074 > 172.17.0.3.9000: Flags [S], seq 2385135450, win 64240, options [mss 1460,sackOK,TS val 3644697290 ecr 0,nop,wscale 7], length 0
21:07:08.517085 IP 172.17.0.3.9000 > 172.17.0.2.60074: Flags [R.], seq 0, ack 2385135451, win 0, length 0

#h2

上的

tcpdump

：

sh-4.4# tcpdump -nn -i any port 9000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:07:08.517033 IP 172.17.0.2.60074 > 172.17.0.3.9000: Flags [S], seq 2385135450, win 64240, options [mss 1460,sackOK,TS val 3644697290 ecr 0,nop,wscale 7], length 0
21:07:08.517062 IP 172.17.0.3.9000 > 172.17.0.2.60074: Flags [R.], seq 0, ack 2385135451, win 0, length 0

我这边网桥网络的配置（我没有发现任何区别）：

从

#h2

到

#h1

，您是否经历过相同的行为？
您能否在您的帖子中分享从

#h1

执行的

跟踪路由172.17.0.3

，

ip路由

的输出另外，

/etc/docker/daemon.json

在docker主机上，或者在该网络或iptable上执行的任何自定义更改…

您是否尝试重新启动docker服务？

我复制了我的内容，但没有遇到您描述的行为。你这边一定发生了一些非常有趣和奇怪的事情

#h1

上的

tcpdump

：

sh-4.4# tcpdump -nn -i any port 9000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:07:08.516964 IP 172.17.0.2.60074 > 172.17.0.3.9000: Flags [S], seq 2385135450, win 64240, options [mss 1460,sackOK,TS val 3644697290 ecr 0,nop,wscale 7], length 0
21:07:08.517085 IP 172.17.0.3.9000 > 172.17.0.2.60074: Flags [R.], seq 0, ack 2385135451, win 0, length 0

#h2

上的

tcpdump

：

sh-4.4# tcpdump -nn -i any port 9000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:07:08.517033 IP 172.17.0.2.60074 > 172.17.0.3.9000: Flags [S], seq 2385135450, win 64240, options [mss 1460,sackOK,TS val 3644697290 ecr 0,nop,wscale 7], length 0
21:07:08.517062 IP 172.17.0.3.9000 > 172.17.0.2.60074: Flags [R.], seq 0, ack 2385135451, win 0, length 0

我这边网桥网络的配置（我没有发现任何区别）：

从

#h2

到

#h1

，您是否经历过相同的行为？
您能否在您的帖子中分享从

#h1

执行的

跟踪路由172.17.0.3

，

ip路由

的输出另外，

/etc/docker/daemon.json

在docker主机上，或者在该网络或iptable上执行的任何自定义更改…

您是否尝试重新启动docker服务？

1-您使用的是哪个操作系统？2-

ip路由

在容器中为您提供了什么？@gmolaire docker主机是RHEL7.7映像是RHEL7.3

[h1#]ip路由默认通过172.17.0.1 dev eth0 172.17.0.0/16 dev eth0原型内核范围链接src 172.17.0.2

[h2]ip路由默认值通过172.17.0.1 dev eth0 172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3

1-您正在使用哪个操作系统？2-

ip路由

在容器中为您提供了什么？@gmolaire docker主机是RHEL7.7映像是RHEL7.3

[h1#]ip路由默认通过172.17.0.1 dev eth0 172.17.0.0/16 dev eth0原型内核范围链接src 172.17.0.2

[h2]通过172.17.0.1 dev eth0 172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3默认ip路由daemon.json为空。是的，从h2到h1的行为是相同的。我尝试重新启动docker，重新启动主机，重新安装docker，所有这些都会导致相同的结果。我昨天发现这个[链接]非常相似。我有很多iptables规则。然而，我不确定哪一个是原因。我将把所有规则粘贴到一个新帖子中。daemon.json为空。是的，从h2到h1的行为是相同的。我尝试重新启动docker，重新启动主机，重新安装docker，所有这些都会导致相同的结果。我昨天发现这个[链接]非常相似。我有很多iptables规则。然而，我不确定哪一个是原因。我将把我所有的规则粘贴到一个新帖子中。
sh-4.4# tcpdump -nn -i any port 9000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:07:08.517033 IP 172.17.0.2.60074 > 172.17.0.3.9000: Flags [S], seq 2385135450, win 64240, options [mss 1460,sackOK,TS val 3644697290 ecr 0,nop,wscale 7], length 0
21:07:08.517062 IP 172.17.0.3.9000 > 172.17.0.2.60074: Flags [R.], seq 0, ack 2385135451, win 0, length 0

docker network inspect bridge
[
    {
        "Name": "bridge",
        "Id": "71db10f2d5fe7b737b94313d6a2e49c3c6d90bbfab357f9c6f0a6ef33cd54cbe",
        "Created": "2020-08-08T04:46:05.307778298+03:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "5dc46e9d625d1a4c683fbc9f8c523eeafdd1cc7434a48cf0bebf7f4c3e091e6f": {
                "Name": "h2",
                "EndpointID": "fa4343e05938f6e9b23ed89a9c6bbdf3320665d2ec4b7a7efe5f5a3c83c9bc58",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            },
            "5f2e38bec9df6cb26018c60ea237278cdff100ecdf37ab04a1dc5a87f69b114b": {
                "Name": "h1",
                "EndpointID": "da9e723e4e1f4406828d66fde1d5958013064c93082ef9cdcb0d6374d0cadf0e",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]