DOCKER FOR MAC 容器和宿主机实现桥接

如何让容器中的主机与宿主机360 ° 无死角通信

最近工作环境换成了Mac 体验还不错,在高负载的情况下表现也十分出色,然后Mac平台我不想装太多渗透软件,装好保持较干净的环境。但是我又不想每天都开着 vm or vbox 虚拟机,太不方便。所以就想要不直接装个docker,然后pull一个kali的镜像,这样每次使用的时候就会极为方便,再加上X11的存在,我也不怕GUI出不来。但是在做准备这个渗透环境的时候除了不少问题,以下总结一下。


我们知道官方并没有一种容器和宿主机实现桥接的解决方案,但是我们可以通过自建虚拟网卡的方式来做

下面是官方的说辞:

There is no docker0 bridge on macOS

Because of the way networking is implemented in Docker for Mac, you cannot see a docker0 interface on the host. This interface is actually within the virtual machine.


I cannot ping my containers

Docker for Mac can’t route traffic to containers.


Per-container IP addressing is not possible

The docker (Linux) bridge network is not reachable from the macOS host.



Use cases and workarounds

There are two scenarios that the above limitations affect:

I WANT TO CONNECT FROM A CONTAINER TO A SERVICE ON THE HOST

The host has a changing IP address (or none if you have no network access). From 18.03 onwards our recommendation is to connect to the special DNS name host.docker.internal, which resolves to the internal IP address used by the host.

The gateway is also reachable as gateway.docker.internal.


I WANT TO CONNECT TO A CONTAINER FROM THE MAC

Port forwarding works for localhost; --publish, -p, or -P all work. Ports exposed from Linux are forwarded to the host.

Our current recommendation is to publish a port, or to connect from another container. This is what you need to do even on Linux if the container is on an overlay network, not a bridge network, as these are not routed.

The command to run the nginx webserver shown in Getting Started is an example of this.

1
$ docker run -d -p 80:80 --name webserver nginx

……

主要说了这么几点:

  1. Mac os 上是没有docker0 这块儿网卡的
  2. 你无法发送ping 到你的容器中
  3. 默认的桥接是实现不了容器与主机处于同网段
  4. 你想访问容器需要通过端口映射的方式来做

但是秉着不放弃精神我尝试了很多方法,踩了很多坑这里就不一一说了,最后在Github上找到了两个比较好的解决方案。

借助Tuntap虚拟网卡

https://github.com/mal/docker-for-mac-host-bridge

先放上链接

作者给出了这几步来完成:

  1. Download the tuntap OSX kernel extensions
  2. Extract the .pkg file within the tuntap archive
  3. Download install.sh
  4. (Optional, but encouraged) Read install.sh!
  5. Run install.sh (see example below)
1
DOCKER_TAP_NETWORK=acme ./install.sh tuntap_20150118.pkg

我在做完这步后并没有出现tuntap网卡 然后通过重启搞出来了

然后docker 网络中你会发现你多了一块名为acme的虚拟网卡

1
2
3
4
5
6
➜  docker-for-mac-host-bridge git:(master) ✗ docker network ls                            
NETWORK ID NAME DRIVER SCOPE
e166944bf57f acme bridge local
d42caf83713f bridge bridge local
cd67fa698374 host host local
1c25d51a2292 none null local

这个时候就试检验的时候了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
➜  docker-for-mac-host-bridge git:(master) ✗ docker run --rm -it --net=acme brimstone/kali
root@5d5a6712feda:/pentest# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.2 netmask 255.255.0.0 broadcast 172.18.255.255
ether 02:42:ac:12:00:02 txqueuelen 0 (Ethernet)
RX packets 3 bytes 258 (258.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@5d5a6712feda:/pentest# ping bing.com
PING bing.com (204.79.197.200) 56(84) bytes of data.
64 bytes from a-0001.a-msedge.net (204.79.197.200): icmp_seq=1 ttl=37 time=61.0 ms
64 bytes from a-0001.a-msedge.net (204.79.197.200): icmp_seq=2 ttl=37 time=64.2 ms
^C
--- bing.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 61.096/62.659/64.222/1.563 ms
root@5d5a6712feda:/pentest# exit
exit

➜ docker-for-mac-host-bridge git:(master) ✗ ifconfig tap1
tap1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether ca:26:73:fc:29:31
inet 172.18.0.1 netmask 0xffff0000 broadcast 172.18.255.255
media: autoselect
status: active
open (pid 7227)

上网也能上 而且还是同网段 这下就安心了。

VPN解决方案

第二种方法我没有试过,但应该也是可以行的,有兴趣的同学可以尝试一下。

https://github.com/wojas/docker-mac-network

正确转发GUI

如何将GUI转发出来,需要用到X11 server,Mac中需要安装Xquartz.

1
2
3
brew install caskroom/cask/xquartz

socat TCP-LISTEN:6000,reuseaddr,fork UNIX-CLIENT:\"$DISPLAY\" & docker run --rm -it -e DISPLAY=$(hostname):0 brimstone/kali zaproxy

使用socat 帮助我们建立一个6000端口监听 这样X11 才能正常工作

Mac_x11

监听端口 通过 & 开启的 就在后台运行了,所以本次开机中不需要再次开启。

如果你这样做你会得倒这样的结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
➜  docker-for-mac-host-bridge git:(master) ✗ docker run --rm -it -e DISPLAY=$(hostname):0 brimstone/kali zaproxy 
Found Java version 9.0.4
Available memory: 992 MB
Setting jvm heap size: -Xmx248m
444 [main] INFO org.zaproxy.zap.GuiBootstrap - OWASP ZAP 2.7.0 started 03/05/2018, 12:22:54 with home /root/.ZAP/
548 [main] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger - Exception in thread "main"
java.awt.AWTError: Can't connect to X11 window server using 'Jeffreys-MBP:0' as the value of the DISPLAY variable.
at java.desktop/sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
at java.desktop/sun.awt.X11GraphicsEnvironment.access$200(X11GraphicsEnvironment.java:53)
at java.desktop/sun.awt.X11GraphicsEnvironment$1.run(X11GraphicsEnvironment.java:102)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.desktop/sun.awt.X11GraphicsEnvironment.<clinit>(X11GraphicsEnvironment.java:61)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:292)
at java.desktop/java.awt.GraphicsEnvironment.createGE(GraphicsEnvironment.java:104)
at java.desktop/java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvironment.java:82)
at java.desktop/sun.awt.X11.XToolkit.<clinit>(XToolkit.java:132)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:292)
at java.desktop/java.awt.Toolkit$2.run(Toolkit.java:573)
at java.desktop/java.awt.Toolkit$2.run(Toolkit.java:568)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.desktop/java.awt.Toolkit.getDefaultToolkit(Toolkit.java:567)
at java.desktop/java.awt.Toolkit.getEventQueue(Toolkit.java:1457)
at java.desktop/java.awt.EventQueue.invokeLater(EventQueue.java:1273)
at org.zaproxy.zap.GuiBootstrap.start(GuiBootstrap.java:105)
at org.zaproxy.zap.ZAP.main(ZAP.java:101)

ok 这次就记到这里如何有更好的方法,后续再改。