时间戳

首页 > 解决方案 > Docker 阻止传入连接

python - Docker 阻止传入连接

问题描述

我在 docker 容器中部署了一个简单的 Flask 服务器。该应用程序接受端口 7005 上的连接,并且我在 docker 上公开了端口 7005。我可以看到 docker 正在积极阻止连接,但我无法弄清楚原因。

我尝试为端口 7005 的 DOCKER-USER 链添加 ACCEPT;将政策更改为接受所有转发;禁用 ufw - 但无法访问烧瓶应用程序。

Docker 运行日志:

sudo docker run --gpus all -p 7005:7005 simplify:1.0

 * Serving Flask app 'app' (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on http://127.0.0.1:7005/ (Press CTRL+C to quit)

tshark 抓包:

sudo tshark  'tcp port 7005'
Running as user "root" and group "root". This could be dangerous.
Capturing on 'docker0'
    1 0.000000000   172.17.0.1 → 172.17.0.2   TCP 74 43230 → 7005 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=153584425 TSecr=0 WS=128
    2 0.000052241   172.17.0.2 → 172.17.0.1   TCP 54 7005 → 43230 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
    3 0.003889881   172.17.0.1 → 172.17.0.2   TCP 74 43234 → 7005 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=153584429 TSecr=0 WS=128
    4 0.003934021   172.17.0.2 → 172.17.0.1   TCP 54 7005 → 43234 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
^C4 packets captured

iptables 政策:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

标签: pythondockerflaskfirewalliptables

解决方案

在http://127.0.0.1:7005/上运行(按 CTRL+C 退出)

您已将服务器绑定到容器中的 localhost 绑定。

您需要将它绑定到容器中的 0.0.0.0:7005 以便它可以被-p删除。

推荐阅读