Encaminhando interfaces dentro de um contêiner docker

0

Eu criei um contêiner docker executando o seguinte comando

docker run -it --net=none --cap-add=NET_ADMIN --name firewall ubuntu /bin/bash

depois de anexar duas interfaces eth0 e eth1 . Eu preciso encaminhar o tráfego de eth1 para eth0. Eu instalei iptables e apliquei a seguinte regra simples:

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Eu verifiquei que o tráfego chega para a interface eth1 ouvindo com o tcpdump a interface eth1. Infelizmente eu não sei o motivo pelo qual o tráfego não é encaminhado para a eth0. Qualquer ideia? Todas as bandeiras foram configuradas corretamente para 1 no sistema

    
por Mazzy 19.02.2015 / 22:35

1 resposta

1

Aqui está um exemplo de script de conjunto de regras iptables para meu palpite quanto ao que você precisa / deseja. Eu adivinhei em alguns endereços, você terá que editar para o que você realmente precisa.

#!/bin/sh
FWVER=0.01
#
# Mazzy Example 2015.02.20 Ver:0.01
#     Only port 80.

echo "Loading Mazzy Example iptables rules set. version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
EXTIF="eth0"
INTIF="eth1"
# For example: Please replace with real IP address
EXTIP="192.168.33.134"
INTNET="10.0.2.0/24"
INTIP="10.0.2.25"
# For example: Please replace with real desintation IP address
INT80="10.0.2.43"
UNIVERSE="0.0.0.0/0"

echo "   External Interface: $EXTIF   Internal Interface: $INTIF   External IP: $EXTIP  Internal Network: $INTNET   Internal IP: $INTIP"

# Only needed if not already done elesewhere
#CRITICAL:  Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

#Clearing any previous configuration
#
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# At this point local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# Allow any related traffic coming back to the server in.
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# server source going to the local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

echo Loading FORWARD rulesets...
echo "FWD: Allow all connections OUT and only existing/related IN..."
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# port forward stuff. see also the prerouting area.
#
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -d $INT80 -m state --state NEW -j LOG --log-prefix "PFNEW80:" --log-level info
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -d $INT80 -m state --state NEW -j ACCEPT
#
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# some port forward stuff. (normally commented out) see also FORWARD area.
#
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT --to $INT80:80

echo "NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF..."
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo Mazzy Example iptables rules set. $FWVER done.
    
por Doug Smythies 21.02.2015 / 00:38