這邊示範把某個 Apache HTTPd 服務的 Container 的 80 Port 導向 Host VM 的某個 Port(這邊一樣選 Host 的 80 Port),以便讓我們進行操作。
以下為現在網卡狀況
[user@lxc-lab ~]$ ifconfig eth0: flags=4163mtu 1460 inet 10.128.0.5 netmask 255.255.255.255 broadcast 10.128.0.5 inet6 fe80::4001:aff:fe80:5 prefixlen 64 scopeid 0x20 ether 42:01:0a:80:00:05 txqueuelen 1000 (Ethernet) RX packets 3992 bytes 861296 (841.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3084 bytes 373454 (364.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth8W08AX: flags=4163 mtu 1500 inet6 fe80::fc36:f9ff:fe2c:d5c8 prefixlen 64 scopeid 0x20 ether fe:36:f9:2c:d5:c8 txqueuelen 1000 (Ethernet) RX packets 6 bytes 516 (516.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6 bytes 516 (516.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vethKXJT6X: flags=4163 mtu 1500 inet6 fe80::fc13:3ff:fe67:3562 prefixlen 64 scopeid 0x20 ether fe:13:03:67:35:62 txqueuelen 1000 (Ethernet) RX packets 15 bytes 3057 (2.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 30 bytes 4572 (4.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vethPSS3VX: flags=4163 mtu 1500 inet6 fe80::fcc0:cfff:fe78:2107 prefixlen 64 scopeid 0x20 ether fe:c0:cf:78:21:07 txqueuelen 1000 (Ethernet) RX packets 16 bytes 3400 (3.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 28 bytes 4139 (4.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 virbr0: flags=4163 mtu 1500 inet 192.168.68.10 netmask 255.255.255.0 broadcast 192.168.68.255 inet6 fe80::d0fa:7bff:fed5:4480 prefixlen 64 scopeid 0x20 ether fe:13:03:67:35:62 txqueuelen 1000 (Ethernet) RX packets 37 bytes 6455 (6.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 14 bytes 908 (908.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [user@lxc-lab ~]$ [user@lxc-lab ~]$ sudo firewall-cmd --get-active-zones internal interfaces: virbr0 trusted interfaces: eth0 [user@lxc-lab ~]$ sudo firewall-cmd --zone=internal --list-all internal (active) target: default icmp-block-inversion: no interfaces: virbr0 sources: services: ssh mdns samba-client dhcpv6-client dns smtp ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [user@lxc-lab ~]$ sudo firewall-cmd --zone=trusted --list-all trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: eth0 sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [user@lxc-lab ~]$ [user@lxc-lab ~]$ sudo ./startenv.sh Below is the List of Available containers NAME STATE IPV4 IPV6 AUTOSTART --------------------------------------------------- container1 RUNNING 192.168.68.11 - YES container2 RUNNING 192.168.68.12 - YES localrepo RUNNING 192.168.68.13 - YES [user@lxc-lab ~]$
現在把 container1 裡面的 HTTPD 啟動,然後在 Host 用 nmap 指令掃 Port 確認;另外,這邊簡單起見,直接從 Host 以類似 chroot 的方式,執行 Container 裡面的指令
[user@lxc-lab ~]$ sudo lxc-attach -n container1 -- service httpd start Redirecting to /bin/systemctl start httpd.service [user@lxc-lab ~]$ nmap -p- 192.168.68.11 Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-27 14:31 UTC Nmap scan report for 192.168.68.11 Host is up (0.00060s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 2.82 seconds [user@lxc-lab ~]$
這邊目標是把 container1 的 80 Port 轉到 Host(eth0 實體 VM 網卡)的 8080 Port,然後就可以用瀏覽器打開了。
基本上,只要 Container 裡面的服務設置完成,確認有在 Container 的 Port 作服務監聽,就可以在 Host VM 上面設定防火牆規則,讓防火牆進行 Port Forwarding 功能就可以了。
Port Forwarding 設定分兩段:
- 有人嘗試訪問 Host VM 的指定 IP 上的指定 Port 時,就把相關的請求導向 Container 的 IP 跟 Port
- 外部請求跟 Container 內的服務成功握手後,還要能讓兩者間建立穩定連線,才能夠正常運作
以上分別對應到底下兩條防火牆規則,執行後一樣要重新載入生效。
[user@lxc-lab ~]$ sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to-destination 192.168.68.11:80 success [user@lxc-lab ~]$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -d 192.168.68.11 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT success [user@lxc-lab ~]$ sudo firewall-cmd --reload success [user@lxc-lab ~]$ [user@lxc-lab ~]$ sudo firewall-cmd --direct --get-all-rules ipv4 filter FORWARD 0 -i virbr0 -o eth0 -j ACCEPT ipv4 filter FORWARD 0 -i virbr0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ipv4 filter FORWARD 0 -p tcp -d 192.168.68.11 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT [user@lxc-lab ~]$ [user@lxc-lab ~]$ sudo firewall-cmd --direct --get-all-passthroughs ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.68.0/24 ipv4 -t nat -I PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to-destination 192.168.68.11:80 [user@lxc-lab ~]$
這些規則都是從 iptables 微調內容,轉變成 firewalld 的指令。
另外,這邊的 VM 在 Google 雲端上,因此接著只要在 Google VM 設定允許 http-server 就可以連到網頁了
最後,可以注意的是,雖然是有 Forwarding,但在 Google VM 上,直接存取 eth0 的 IP 跟轉發的 Port 是找不到的,服務是透過 Google 其他機制轉發到外網 IP 上的
[user@lxc-lab ~]$ telnet 10.128.0.5 8080 Trying 10.128.0.5... telnet: connect to address 10.128.0.5: Connection refused [user@lxc-lab ~]$ [user@lxc-lab ~]$ nmap -p- 10.128.0.5 Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-27 14:37 UTC Nmap scan report for lxc-lab.c.user-151709.internal (10.128.0.5) Host is up (0.00064s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 111/tcp open rpcbind Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds [user@lxc-lab ~]$
沒有留言:
張貼留言