透明代理无法代理本机 docker 容器

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

For Existing Member Sign In

Docker Engine Quickstart

Boot2docker

This topic created in 825 days ago, the information mentioned may be changed or developed.

境内 vps, 安装了 tailscale, 在 host 下搭建了 xray 透明代理, host 可以上网, 但是容器内会断网
无法使用 net=host

教程: 透明代理（ TProxy ）配置教程

{ "log": { "loglevel": "info" }, "inbounds": [ { "tag": "all-in", "port": 12345, "protocol": "dokodemo-door", "settings": { "network": "tcp,udp", "followRedirect": true }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] }, "streamSettings": { "sockopt": { "tproxy": "tproxy" } } } ], "outbounds": [ { "tag": "direct", "protocol": "freedom", "settings": { "domainStrategy": "UseIPv4" }, "streamSettings": { "sockopt": { "mark": 2 } } }, { "tag": "proxy", "protocol": "trojan", "settings": { "servers": [ { "address": "XXX", "password": "YYY", } ] }, "streamSettings": { "network": "tcp", "security": "tls", "sockopt": { "mark": 2 } } } ], "routing": { "domainStrategy": "IPIfNonMatch", "rules": [ { "type": "field", "domain": [ "geosite:geolocation-!cn" ], "outboundTag": "proxy" } ] } }

ip route add local default dev lo table 100 ip rule add fwmark 1 table 100 iptables -t mangle -N XRAY iptables -t mangle -A XRAY -d 10.0.0.0/8 -j RETURN iptables -t mangle -A XRAY -d 100.64.0.0/10 -j RETURN iptables -t mangle -A XRAY -d 127.0.0.0/8 -j RETURN iptables -t mangle -A XRAY -d 169.254.0.0/16 -j RETURN iptables -t mangle -A XRAY -d 172.16.0.0/12 -j RETURN iptables -t mangle -A XRAY -d 192.0.0.0/24 -j RETURN iptables -t mangle -A XRAY -d 192.168.0.0/16 -j RETURN iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN iptables -t mangle -A XRAY -m mark --mark 2 -j RETURN iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 iptables -t mangle -N XRAY_SELF iptables -t mangle -A XRAY_SELF -d 10.0.0.0/8 -j RETURN iptables -t mangle -A XRAY_SELF -d 100.64.0.0/10 -j RETURN iptables -t mangle -A XRAY_SELF -d 127.0.0.0/8 -j RETURN iptables -t mangle -A XRAY_SELF -d 169.254.0.0/16 -j RETURN iptables -t mangle -A XRAY_SELF -d 172.16.0.0/12 -j RETURN iptables -t mangle -A XRAY_SELF -d 192.0.0.0/24 -j RETURN iptables -t mangle -A XRAY_SELF -d 192.168.0.0/16 -j RETURN iptables -t mangle -A XRAY_SELF -d 224.0.0.0/4 -j RETURN iptables -t mangle -A XRAY_SELF -d 240.0.0.0/4 -j RETURN iptables -t mangle -A XRAY_SELF -d 255.255.255.255/32 -j RETURN iptables -t mangle -A XRAY_SELF -m mark --mark 2 -j RETURN iptables -t mangle -A XRAY_SELF -p tcp -j MARK --set-mark 1 iptables -t mangle -A XRAY_SELF -p udp -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -j XRAY iptables -t mangle -A OUTPUT -j XRAY_SELF

完整环境

iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N ts-input -N ts-forward -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -A INPUT -j ts-input -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o br-deca817736b6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-deca817736b6 -j DOCKER -A FORWARD -i br-deca817736b6 ! -o br-deca817736b6 -j ACCEPT -A FORWARD -i br-deca817736b6 -o br-deca817736b6 -j ACCEPT -A FORWARD -j ts-forward -A ts-input -s $TAILSCALE_IP$/32 -i lo -j ACCEPT -A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN -A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP -A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000 -A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT -A ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP -A ts-forward -o tailscale0 -j ACCEPT -A DOCKER -d 172.19.0.2/32 ! -i br-deca817736b6 -o br-deca817736b6 -p tcp -m tcp --dport 8000 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i br-deca817736b6 ! -o br-deca817736b6 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -o br-deca817736b6 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN

运行后, host 可以curl https://www.google.com
但是容器内断网, 并且百度也无法访问

1 replies 2024-05-20 00:41:38 +08:00

Smokovsky

May 20, 2024

刚遇到这个问题，虽然有点晚了，不过还是回答一下：
如果容器不用代理：
加上
iptables -t mangle -A XRAY -d 172.17.0.0/16 -j RETURN
即可

如果容器需要代理
sudo sysctl -w net.bridge.bridge-nf-call-iptables=0
sudo sysctl -w net.bridge.bridge-nf-call-ip6tables=0
sudo sysctl -w net.bridge.bridge-nf-call-arptables=0

credit:
https://github.com/springzfx/cgproxy/issues/10#issuecomment-673437557