v2rayA
在docker的bridge下运行v2rayA能否实现透明代理?
版本、安装方式、系统
-
你在使用什么版本的v2rayA:1.5.7
-
你通过什么方式安装v2rayA:docker
-
你所使用的操作系统.Photon OS
描述问题:
在docker的bridge下运行v2rayA能否实现透明代理?
现在使用的docker compose如下
version: '3.3'
services:
v2raya:
restart: always
privileged: true
container_name: v2raya
environment:
- 'V2RAYA_ADDRESS=0.0.0.0:2017'
volumes:
- '/lib/modules:/lib/modules'
- '/etc/resolv.conf:/etc/resolv.conf'
- '/etc/v2raya:/etc/v2raya'
image: mzz2017/v2raya
ports:
- "2017:2017"
- "38830:38830"
- "32345:32345"
- "32346:32346"
- "20170-20172:20170-20172"
macvlan已经实现透明代理,唯一有点缺陷好像是宿主机不能和使用macvlan的容器通信。 如果实在要通信的话,需要在宿主机上再配置一个macvlan,通过该macvlan对前一个macvlan进行通信。
@mzz2017 我在host模式下无法实现透明代理,宿主机上iptables如下。macvlan模式没有问题。
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain DOCKER (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:http-alt
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:http
ACCEPT tcp -- anywhere 172.23.0.2 tcp dpt:38830
ACCEPT tcp -- anywhere 172.23.0.2 tcp dpt:32346
ACCEPT tcp -- anywhere 172.23.0.2 tcp dpt:32345
ACCEPT tcp -- anywhere 172.23.0.2 tcp dpt:20172
ACCEPT tcp -- anywhere 172.23.0.2 tcp dpt:20171
ACCEPT tcp -- anywhere 172.23.0.2 tcp dpt:20170
ACCEPT tcp -- anywhere 172.23.0.2 tcp dpt:cypress-stat
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
RETURN all -- anywhere anywhere
可以参考这个
https://github.com/devplayer0/docker-net-dhcp
为网络相关的Docker容器分配一个独立IP,相当于局域网里开了一个旁路由,这个旁路由可以设置完全直连,宿主机可以和其他局域网机器一样被透明代理而不担心回环问题。
macvlan不能和宿主机互通吗,用ip也不行?
https://forums.docker.com/t/host-and-containers-cannot-communicate-macvlan/112968 宿主和macvlan container容器本就网络不能互通 这个是内核的限制 但是可以通过桥接互通 eg #!/usr/bin/bash ip link add pubnet-br0 link enp2s0 type macvlan mode bridge ip link set pubnet-br0 up ip route add 10.0.0.0/8 (macvlan网段) dev pubnet-br0
