英文:
How to resolve iptables error "Couldn't load match 'conntrack'" in docker container?
问题
我有一个运行Docker的Windows 10主机。在Docker内部,我运行了两个Rust容器。我想在其中一个容器内设置防火墙。
Compose文件如下:
version: '3'
services:
outer-endpoint:
image: rust:1.70
ports:
- 4488:4488
- 4466:4466
command: bash -c "apt update -y && apt upgrade -y &&
tail -f /dev/null" # 当文件更新时打印行,持续运行容器
volumes: # 绑定挂载
- 'C:\Users\XXX'
inner-endpoint:
image: rust:1.70
ports:
- 80:80
command: bash -c "apt update -y && apt upgrade -y &&
apt install iptables -y &&
tail -f /dev/null"
volumes:
- 'C:\Users\XXX'
cap_add: # 允许iptables
- NET_ADMIN
- NET_RAW
我使用以下命令进入容器:
docker exec -it containername bash
在那里,我使用以下命令:
我使用以下命令拒绝所有进入的流量:
iptables -P INPUT DROP
这个命令有效。但是,当我尝试以下命令来允许已建立和相关连接的入站流量时:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
我得到以下错误:
iptables v1.8.7 (nf_tables): 无法加载匹配`conntrack`:没有这个文件或目录
我不明白是什么原因导致了这个错误。我该如何解决它?
英文:
I have a Windows 10 host with Docker running. Inside Docker I run two Rust container. I would like to set up a Firewall inside one of them.
The Compose File:
version: '3'
services:
outer-endpoint:
image: rust:1.70
ports:
# host:container
- 4488:4488
- 4466:4466
command: bash -c "apt update -y && apt upgrade -y &&
tail -f /dev/null" # print line when file is updated, run container forever
volumes: # bind mount
- 'C:\Users\XXX'
inner-endpoint:
image: rust:1.70
ports:
- 80:80
command: bash -c "apt update -y && apt upgrade -y &&
apt install iptables -y &&
tail -f /dev/null"
volumes:
- 'C:\Users\XXX'
cap_add: # allow iptables
- NET_ADMIN
- NET_RAW
I get inside the Container with
docker exec -it containername bash
There I use the following commands:
I use
iptables -P INPUT DROP
to deny incoming traffic. That works well.
But when I try
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
to allow incoming traffic for established and related connections, I get the following error:
iptables v1.8.7 (nf_tables): Couldn't load match `conntrack':No such file or directory
I do not understand what causes the error. How can I resolve it?
答案1
得分: 1
使用 sudo 重试
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
英文:
Retry with sudo
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
答案2
得分: 0
看起来你需要在你的Docker镜像中安装conntrack。
英文:
Looks like you need to install conntrack in your docker image.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论