如何解决Docker容器中的iptables错误”Couldn’t load match ‘conntrack'”?

huangapple go评论88阅读模式
英文:

How to resolve iptables error "Couldn't load match 'conntrack'" in docker container?

问题

我有一个运行Docker的Windows 10主机。在Docker内部,我运行了两个Rust容器。我想在其中一个容器内设置防火墙。

Compose文件如下:

version: '3'
services:
  outer-endpoint:
    image: rust:1.70
    ports:
      - 4488:4488
      - 4466:4466
    command: bash -c "apt update -y && apt upgrade -y &&
             tail -f /dev/null" # 当文件更新时打印行,持续运行容器
    volumes: # 绑定挂载
      - 'C:\Users\XXX'
  inner-endpoint:
    image: rust:1.70
    ports:
      - 80:80
    command: bash -c "apt update -y && apt upgrade -y &&
             apt install iptables -y &&
             tail -f /dev/null"
    volumes:
      - 'C:\Users\XXX'
    cap_add: # 允许iptables
      - NET_ADMIN
      - NET_RAW

我使用以下命令进入容器:

docker exec -it containername bash

在那里,我使用以下命令:

我使用以下命令拒绝所有进入的流量:

iptables -P INPUT DROP

这个命令有效。但是,当我尝试以下命令来允许已建立和相关连接的入站流量时:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

我得到以下错误:

iptables v1.8.7 (nf_tables): 无法加载匹配`conntrack`:没有这个文件或目录

我不明白是什么原因导致了这个错误。我该如何解决它?

英文:

I have a Windows 10 host with Docker running. Inside Docker I run two Rust container. I would like to set up a Firewall inside one of them.

The Compose File:

version: '3'
services:
  outer-endpoint:
    image: rust:1.70
    ports:
      # host:container
      - 4488:4488
      - 4466:4466
    command: bash -c "apt update -y && apt upgrade -y &&
             tail -f /dev/null" # print line when file is updated, run container forever
    volumes: # bind mount
      - 'C:\Users\XXX'
  inner-endpoint:
    image: rust:1.70
    ports:
      - 80:80
    command: bash -c "apt update -y && apt upgrade -y &&
             apt install iptables -y &&
             tail -f /dev/null"
    volumes:
      - 'C:\Users\XXX'
    cap_add: # allow iptables
      - NET_ADMIN
      - NET_RAW

I get inside the Container with

docker exec -it containername bash

There I use the following commands:

I use

iptables -P INPUT DROP

to deny incoming traffic. That works well.
But when I try

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

to allow incoming traffic for established and related connections, I get the following error:

iptables v1.8.7 (nf_tables): Couldn't load match `conntrack':No such file or directory

I do not understand what causes the error. How can I resolve it?

答案1

得分: 1

使用 sudo 重试

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
英文:

Retry with sudo

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

答案2

得分: 0

看起来你需要在你的Docker镜像中安装conntrack。

英文:

Looks like you need to install conntrack in your docker image.

huangapple
  • 本文由 发表于 2023年6月2日 02:06:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/76384579.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定