sometimes we need to restart servers
This commit is contained in:
parent
b6f325f9d1
commit
d9017fd2a9
@ -85,7 +85,7 @@ Modify the UFW configuration file `/etc/ufw/after.rules` and add the following r
|
|||||||
COMMIT
|
COMMIT
|
||||||
# END UFW AND DOCKER
|
# END UFW AND DOCKER
|
||||||
|
|
||||||
Using command `sudo systemctl restart ufw` to restart UFW after changing the file. Now the public network can't access any published docker ports, the container and the private network can visit each other normally, and the containers can also access the external network from inside.
|
Using command `sudo systemctl restart ufw** to restart UFW after changing the file. Now the public network can't access any published docker ports, the container and the private network can visit each other normally, and the containers can also access the external network from inside. **There may be some unknown reasons cause the UFW rules will not take effect after restart UFW, please reboot servers. **
|
||||||
|
|
||||||
If you want to allow public networks to access the services provided by the Docker container, for example, the service port of a container is `80`. Run the following command to allow the public networks to access this service:
|
If you want to allow public networks to access the services provided by the Docker container, for example, the service port of a container is `80`. Run the following command to allow the public networks to access this service:
|
||||||
|
|
||||||
@ -209,7 +209,7 @@ UFW 是 Ubuntu 上很流行的一个 iptables 前端,可以非常方便的管
|
|||||||
COMMIT
|
COMMIT
|
||||||
# END UFW AND DOCKER
|
# END UFW AND DOCKER
|
||||||
|
|
||||||
然后重启 UFW,`sudo systemctl restart ufw`。现在外部就已经无法访问 Docker 发布出来的任何端口了,但是容器内部以及私有网络地址上可以正常互相访问,而且容器也可以正常访问外部的网络。
|
然后重启 UFW,`sudo systemctl restart ufw`。现在外部就已经无法访问 Docker 发布出来的任何端口了,但是容器内部以及私有网络地址上可以正常互相访问,而且容器也可以正常访问外部的网络。**可能由于某些未知原因,重启 UFW 之后规则也无法生效,请重启服务器。**
|
||||||
|
|
||||||
如果希望允许外部网络访问 Docker 容器提供的服务,比如有一个容器的服务端口是 `80`。那就可以用以下命令来允许外部网络访问这个服务:
|
如果希望允许外部网络访问 Docker 容器提供的服务,比如有一个容器的服务端口是 `80`。那就可以用以下命令来允许外部网络访问这个服务:
|
||||||
|
|
||||||
|
@ -62,6 +62,9 @@ function ufw-docker--allow() {
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
if [[ "$RETVAL" -ne 0 ]]; then
|
||||||
|
err "Fail to add rule(s), cannot find the published port ${INSTANCE_PORT}/${PROTO} of instance \"${INSTANCE_NAME}\" or cannot update outdated rule(s)."
|
||||||
|
fi
|
||||||
return "$RETVAL"
|
return "$RETVAL"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -71,7 +74,7 @@ function ufw-docker--add-rule() {
|
|||||||
local PORT="$3"
|
local PORT="$3"
|
||||||
local PROTO="$4"
|
local PROTO="$4"
|
||||||
|
|
||||||
echo "allow $INSTANCE_NAME $PORT $PROTO"
|
echo "allow ${INSTANCE_NAME} ${PORT}/${PROTO}"
|
||||||
typeset -a UFW_OPTS
|
typeset -a UFW_OPTS
|
||||||
UFW_OPTS=(route allow proto "${PROTO}"
|
UFW_OPTS=(route allow proto "${PROTO}"
|
||||||
from any to "$INSTANCE_IP_ADDRESS" port "${PORT}"
|
from any to "$INSTANCE_IP_ADDRESS" port "${PORT}"
|
||||||
@ -103,8 +106,8 @@ function ufw-docker--install() {
|
|||||||
cat <<-\EOF | tee -a /etc/ufw/after.rules
|
cat <<-\EOF | tee -a /etc/ufw/after.rules
|
||||||
# BEGIN UFW AND DOCKER
|
# BEGIN UFW AND DOCKER
|
||||||
*filter
|
*filter
|
||||||
:DOCKER-USER - [0:0]
|
|
||||||
:ufw-user-forward - [0:0]
|
:ufw-user-forward - [0:0]
|
||||||
|
:DOCKER-USER - [0:0]
|
||||||
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
|
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
|
||||||
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
|
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
|
||||||
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
|
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
|
||||||
|
Loading…
Reference in New Issue
Block a user