如何解决Docker容器中的iptables错误”Couldn’t load match ‘conntrack'”?

huangapple
go评论118阅读模式
英文:

How to resolve iptables error "Couldn't load match 'conntrack'" in docker container?

问题

我有一个运行Docker的Windows 10主机。在Docker内部,我运行了两个Rust容器。我想在其中一个容器内设置防火墙。

Compose文件如下:

  1. version: '3'
  2. services:
  3.   outer-endpoint:
  4.     image: rust:1.70
  5.     ports:
  6.       - 4488:4488
  7.       - 4466:4466
  8.     command: bash -c "apt update -y && apt upgrade -y &&
  9.              tail -f /dev/null" # 当文件更新时打印行,持续运行容器
  10.     volumes: # 绑定挂载
  11.       - 'C:\Users\XXX'
  12.   inner-endpoint:
  13.     image: rust:1.70
  14.     ports:
  15.       - 80:80
  16.     command: bash -c "apt update -y && apt upgrade -y &&
  17.              apt install iptables -y &&
  18.              tail -f /dev/null"
  19.     volumes:
  20.       - 'C:\Users\XXX'
  21.     cap_add: # 允许iptables
  22.       - NET_ADMIN
  23.       - NET_RAW

我使用以下命令进入容器:

  1. docker exec -it containername bash

在那里,我使用以下命令:

我使用以下命令拒绝所有进入的流量:

  1. iptables -P INPUT DROP

这个命令有效。但是,当我尝试以下命令来允许已建立和相关连接的入站流量时:

  1. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

我得到以下错误:

  1. iptables v1.8.7 (nf_tables): 无法加载匹配`conntrack`:没有这个文件或目录

我不明白是什么原因导致了这个错误。我该如何解决它?

英文:

I have a Windows 10 host with Docker running. Inside Docker I run two Rust container. I would like to set up a Firewall inside one of them.

The Compose File:

  1. version: '3'
  2. services:
  3.   outer-endpoint:
  4.     image: rust:1.70
  5.     ports:
  6.       # host:container
  7.       - 4488:4488
  8.       - 4466:4466
  9.     command: bash -c "apt update -y && apt upgrade -y &&
  10.              tail -f /dev/null" # print line when file is updated, run container forever
  11.     volumes: # bind mount
  12.       - 'C:\Users\XXX'
  13.   inner-endpoint:
  14.     image: rust:1.70
  15.     ports:
  16.       - 80:80
  17.     command: bash -c "apt update -y && apt upgrade -y &&
  18.              apt install iptables -y &&
  19.              tail -f /dev/null"
  20.     volumes:
  21.       - 'C:\Users\XXX'
  22.     cap_add: # allow iptables
  23.       - NET_ADMIN
  24.       - NET_RAW

I get inside the Container with

  1. docker exec -it containername bash

There I use the following commands:

I use

  1. iptables -P INPUT DROP

to deny incoming traffic. That works well.
But when I try

  1. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

to allow incoming traffic for established and related connections, I get the following error:

  1. iptables v1.8.7 (nf_tables): Couldn't load match `conntrack':No such file or directory

I do not understand what causes the error. How can I resolve it?

答案1

得分: 1

使用 sudo 重试

  1. sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
英文:

Retry with sudo

  1. sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

答案2

得分: 0

看起来你需要在你的Docker镜像中安装conntrack。

英文:

Looks like you need to install conntrack in your docker image.

huangapple
  • 本文由 发表于 2023年6月2日 02:06:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/76384579.html
  • containers
  • docker
  • firewall
  • iptables
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定