curl: (7) Failed connect to 192.168.0.19:2375; 没有到主机的路由

firewalld

使用Remote API访问docker的时候，遇到上面的这个问题

[root@localhost ~]# curl http://192.168.0.19:2375/info
curl: (7) Failed connect to 192.168.0.19:2375; 没有到主机的路由

如果你熟悉网络协议的话，那你一定会知道这是一个特定ICMP响应造成的。使用tcpump抓包发现ICMP内容如下

21:31:33.638418 IP 192.168.0.19 > localhost.localdomain: \
ICMP host 192.168.0.19 unreachable - admin prohibited, length 68

这样的问题，一般都是防火墙造成的，来看一下192.168.0.19这台主机上的防火墙规则

[root@localhost ~]# iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere            
3    INPUT_direct  all  --  anywhere             anywhere            
4    INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
5    INPUT_ZONES  all  --  anywhere             anywhere            
6    DROP       all  --  anywhere             anywhere             ctstate INVALID
7    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

尽管防火墙规则不是看的太懂，但是可以看出，我们的请求触发了最后一条规则，然后收到了没有到主机的路由这样的错误信息。实际上，再局域网内的通信，是不应该收到这样的ICMP响应的。

发现问题了，就好办了，加一条规则不就行了

iptables -A INPUT -p tcp --dport 2375 -j ACCEPT

添加完之后，问题还是依旧没有解决，郁闷啊。再看一下防火墙规则

[root@localhost ~]# iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere            
3    INPUT_direct  all  --  anywhere             anywhere            
4    INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
5    INPUT_ZONES  all  --  anywhere             anywhere            
6    DROP       all  --  anywhere             anywhere             ctstate INVALID
7    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
8    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2375

一看就明白了，新加的规则被插入到规则连的最后一条了，实际上根本没有生效。应该把新加的规则插入到最前面，下面是正确的命令

iptables -I INPUT -p tcp --dport 2375 -j ACCEPT

试一下，问题解决了，啊哈哈。再看一下防火墙规则

[root@localhost ~]# iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2375
2    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
3    ACCEPT     all  --  anywhere             anywhere            
4    INPUT_direct  all  --  anywhere             anywhere            
5    INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
6    INPUT_ZONES  all  --  anywhere             anywhere            
7    DROP       all  --  anywhere             anywhere             ctstate INVALID
8    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
9    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2375

这样一看，新加的规则确实生效了。