iptable script for docker
This commit is contained in:
mantaohuang
parent
7275e0abce
commit
468864d3e2
63
iptable_docker.sh
Executable file
63
iptable_docker.sh
Executable file
@ -0,0 +1,63 @@
|
||||
#!/bin/sh
|
||||
# example:
|
||||
# iptable_docker.sh eth0 172.17.0.0 172.17.0.1
|
||||
# Flush the tables. This may cut the system's internet.
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
# Let the VPN client communicate with the outside world.
|
||||
#iptables -A OUTPUT -j ACCEPT -o $1
|
||||
iptables -A OUTPUT -j ACCEPT -o $1 -m owner --gid-owner openvpn
|
||||
|
||||
# The loopback device is harmless, and TUN is required for the VPN.
|
||||
iptables -A OUTPUT -j ACCEPT -o lo
|
||||
|
||||
iptables -A OUTPUT -j ACCEPT -o tun+
|
||||
|
||||
#iptables -A OUTPUT -j ACCEPT -o tun+
|
||||
iptables -t mangle -A OUTPUT -m owner --gid-owner openvpn -j MARK --set-mark 11
|
||||
iptables -t nat -A POSTROUTING -m owner --gid-owner openvpn -o $1 -j MASQUERADE
|
||||
echo ip route
|
||||
ip route flush all
|
||||
ip rule flush
|
||||
ip rule add from all lookup main pref 32766
|
||||
ip rule add from all lookup default pref 32767
|
||||
|
||||
|
||||
echo "create route table if it does not exist"
|
||||
if [ $(cat /etc/iproute2/rt_tables | grep novpn | wc -l) -eq 0 ]; then
|
||||
echo "11 novpn" >> /etc/iproute2/rt_tables
|
||||
fi
|
||||
|
||||
echo "add to novpn table"
|
||||
ip route flush table novpn
|
||||
ip route add $2/24 dev $1
|
||||
ip route add default via $3 dev $1 table novpn
|
||||
|
||||
echo "add to default table"
|
||||
# need to add a default route for the routing code to trigger the fwmark rule at all, else there's a direct "Network is unreachable" with no packet generated.
|
||||
ip route add default via 192.168.122.254 dev $1
|
||||
|
||||
#echo "disable rp_filter"
|
||||
#for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
|
||||
|
||||
echo "add ip rule fwmark"
|
||||
ip rule add fwmark 11 table novpn pref 99
|
||||
|
||||
# We should permit replies to traffic we've sent out.
|
||||
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED
|
||||
|
||||
# allow LAN
|
||||
iptables -A OUTPUT -d $2/24 -j ACCEPT
|
||||
iptables -A INPUT -s $2/24 -j ACCEPT
|
||||
|
||||
iptables -I INPUT -p tcp -m tcp --dport 8388 -j ACCEPT
|
||||
iptables -I INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
|
||||
iptables -I INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
|
||||
iptables -I INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
|
||||
# The default policy, if no other rules match, is to refuse traffic.
|
||||
iptables -P OUTPUT DROP
|
||||
iptables -P INPUT DROP
|
||||
Loading…
x
Reference in New Issue
Block a user