diff --git a/README.md b/README.md index 0d81c7a..c7003c8 100644 --- a/README.md +++ b/README.md @@ -85,7 +85,7 @@ Modify the UFW configuration file `/etc/ufw/after.rules` and add the following r COMMIT # END UFW AND DOCKER -Using command `sudo systemctl restart ufw` to restart UFW after changing the file. Now the public network can't access any published docker ports, the container and the private network can visit each other normally, and the containers can also access the external network from inside. +Using command `sudo systemctl restart ufw** to restart UFW after changing the file. Now the public network can't access any published docker ports, the container and the private network can visit each other normally, and the containers can also access the external network from inside. **There may be some unknown reasons cause the UFW rules will not take effect after restart UFW, please reboot servers. ** If you want to allow public networks to access the services provided by the Docker container, for example, the service port of a container is `80`. Run the following command to allow the public networks to access this service: @@ -209,7 +209,7 @@ UFW 是 Ubuntu 上很流行的一个 iptables 前端,可以非常方便的管 COMMIT # END UFW AND DOCKER -然后重启 UFW,`sudo systemctl restart ufw`。现在外部就已经无法访问 Docker 发布出来的任何端口了,但是容器内部以及私有网络地址上可以正常互相访问,而且容器也可以正常访问外部的网络。 +然后重启 UFW,`sudo systemctl restart ufw`。现在外部就已经无法访问 Docker 发布出来的任何端口了,但是容器内部以及私有网络地址上可以正常互相访问,而且容器也可以正常访问外部的网络。**可能由于某些未知原因,重启 UFW 之后规则也无法生效,请重启服务器。** 如果希望允许外部网络访问 Docker 容器提供的服务,比如有一个容器的服务端口是 `80`。那就可以用以下命令来允许外部网络访问这个服务: diff --git a/ufw-docker b/ufw-docker index 22e69c8..7785df5 100755 --- a/ufw-docker +++ b/ufw-docker @@ -62,6 +62,9 @@ function ufw-docker--allow() { done fi done + if [[ "$RETVAL" -ne 0 ]]; then + err "Fail to add rule(s), cannot find the published port ${INSTANCE_PORT}/${PROTO} of instance \"${INSTANCE_NAME}\" or cannot update outdated rule(s)." + fi return "$RETVAL" } @@ -71,7 +74,7 @@ function ufw-docker--add-rule() { local PORT="$3" local PROTO="$4" - echo "allow $INSTANCE_NAME $PORT $PROTO" + echo "allow ${INSTANCE_NAME} ${PORT}/${PROTO}" typeset -a UFW_OPTS UFW_OPTS=(route allow proto "${PROTO}" from any to "$INSTANCE_IP_ADDRESS" port "${PORT}" @@ -103,8 +106,8 @@ function ufw-docker--install() { cat <<-\EOF | tee -a /etc/ufw/after.rules # BEGIN UFW AND DOCKER *filter - :DOCKER-USER - [0:0] :ufw-user-forward - [0:0] + :DOCKER-USER - [0:0] -A DOCKER-USER -j RETURN -s 10.0.0.0/8 -A DOCKER-USER -j RETURN -s 172.16.0.0/12 -A DOCKER-USER -j RETURN -s 192.168.0.0/16