sometimes we need to restart servers

This commit is contained in:
Chai Feng 2018-08-08 23:44:12 +08:00
parent b6f325f9d1
commit d9017fd2a9
No known key found for this signature in database
GPG Key ID: 2DCD9A24E523FFD2
2 changed files with 7 additions and 4 deletions

View File

@ -85,7 +85,7 @@ Modify the UFW configuration file `/etc/ufw/after.rules` and add the following r
COMMIT COMMIT
# END UFW AND DOCKER # END UFW AND DOCKER
Using command `sudo systemctl restart ufw` to restart UFW after changing the file. Now the public network can't access any published docker ports, the container and the private network can visit each other normally, and the containers can also access the external network from inside. Using command `sudo systemctl restart ufw** to restart UFW after changing the file. Now the public network can't access any published docker ports, the container and the private network can visit each other normally, and the containers can also access the external network from inside. **There may be some unknown reasons cause the UFW rules will not take effect after restart UFW, please reboot servers. **
If you want to allow public networks to access the services provided by the Docker container, for example, the service port of a container is `80`. Run the following command to allow the public networks to access this service: If you want to allow public networks to access the services provided by the Docker container, for example, the service port of a container is `80`. Run the following command to allow the public networks to access this service:
@ -209,7 +209,7 @@ UFW 是 Ubuntu 上很流行的一个 iptables 前端,可以非常方便的管
COMMIT COMMIT
# END UFW AND DOCKER # END UFW AND DOCKER
然后重启 UFW`sudo systemctl restart ufw`。现在外部就已经无法访问 Docker 发布出来的任何端口了,但是容器内部以及私有网络地址上可以正常互相访问,而且容器也可以正常访问外部的网络。 然后重启 UFW`sudo systemctl restart ufw`。现在外部就已经无法访问 Docker 发布出来的任何端口了,但是容器内部以及私有网络地址上可以正常互相访问,而且容器也可以正常访问外部的网络。**可能由于某些未知原因,重启 UFW 之后规则也无法生效,请重启服务器。**
如果希望允许外部网络访问 Docker 容器提供的服务,比如有一个容器的服务端口是 `80`。那就可以用以下命令来允许外部网络访问这个服务: 如果希望允许外部网络访问 Docker 容器提供的服务,比如有一个容器的服务端口是 `80`。那就可以用以下命令来允许外部网络访问这个服务:

View File

@ -62,6 +62,9 @@ function ufw-docker--allow() {
done done
fi fi
done done
if [[ "$RETVAL" -ne 0 ]]; then
err "Fail to add rule(s), cannot find the published port ${INSTANCE_PORT}/${PROTO} of instance \"${INSTANCE_NAME}\" or cannot update outdated rule(s)."
fi
return "$RETVAL" return "$RETVAL"
} }
@ -71,7 +74,7 @@ function ufw-docker--add-rule() {
local PORT="$3" local PORT="$3"
local PROTO="$4" local PROTO="$4"
echo "allow $INSTANCE_NAME $PORT $PROTO" echo "allow ${INSTANCE_NAME} ${PORT}/${PROTO}"
typeset -a UFW_OPTS typeset -a UFW_OPTS
UFW_OPTS=(route allow proto "${PROTO}" UFW_OPTS=(route allow proto "${PROTO}"
from any to "$INSTANCE_IP_ADDRESS" port "${PORT}" from any to "$INSTANCE_IP_ADDRESS" port "${PORT}"
@ -103,8 +106,8 @@ function ufw-docker--install() {
cat <<-\EOF | tee -a /etc/ufw/after.rules cat <<-\EOF | tee -a /etc/ufw/after.rules
# BEGIN UFW AND DOCKER # BEGIN UFW AND DOCKER
*filter *filter
:DOCKER-USER - [0:0]
:ufw-user-forward - [0:0] :ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8 -A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12 -A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16 -A DOCKER-USER -j RETURN -s 192.168.0.0/16