From 468864d3e2def0c26ebe31866eb8d9be861cbd6c Mon Sep 17 00:00:00 2001 From: mantaohuang Date: Thu, 28 May 2020 22:57:15 -0400 Subject: [PATCH] iptable script for docker --- iptable_docker.sh | 63 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100755 iptable_docker.sh diff --git a/iptable_docker.sh b/iptable_docker.sh new file mode 100755 index 0000000..65fc5df --- /dev/null +++ b/iptable_docker.sh @@ -0,0 +1,63 @@ +#!/bin/sh +# example: +# iptable_docker.sh eth0 172.17.0.0 172.17.0.1 +# Flush the tables. This may cut the system's internet. +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +# Let the VPN client communicate with the outside world. +#iptables -A OUTPUT -j ACCEPT -o $1 +iptables -A OUTPUT -j ACCEPT -o $1 -m owner --gid-owner openvpn + +# The loopback device is harmless, and TUN is required for the VPN. +iptables -A OUTPUT -j ACCEPT -o lo + +iptables -A OUTPUT -j ACCEPT -o tun+ + +#iptables -A OUTPUT -j ACCEPT -o tun+ +iptables -t mangle -A OUTPUT -m owner --gid-owner openvpn -j MARK --set-mark 11 +iptables -t nat -A POSTROUTING -m owner --gid-owner openvpn -o $1 -j MASQUERADE +echo ip route +ip route flush all +ip rule flush +ip rule add from all lookup main pref 32766 +ip rule add from all lookup default pref 32767 + + +echo "create route table if it does not exist" +if [ $(cat /etc/iproute2/rt_tables | grep novpn | wc -l) -eq 0 ]; then + echo "11 novpn" >> /etc/iproute2/rt_tables +fi + +echo "add to novpn table" +ip route flush table novpn +ip route add $2/24 dev $1 +ip route add default via $3 dev $1 table novpn + +echo "add to default table" +# need to add a default route for the routing code to trigger the fwmark rule at all, else there's a direct "Network is unreachable" with no packet generated. +ip route add default via 192.168.122.254 dev $1 + +#echo "disable rp_filter" +#for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done + +echo "add ip rule fwmark" +ip rule add fwmark 11 table novpn pref 99 + +# We should permit replies to traffic we've sent out. +iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED + +# allow LAN +iptables -A OUTPUT -d $2/24 -j ACCEPT +iptables -A INPUT -s $2/24 -j ACCEPT + +iptables -I INPUT -p tcp -m tcp --dport 8388 -j ACCEPT +iptables -I INPUT -p tcp -m tcp --dport 2222 -j ACCEPT +iptables -I INPUT -p tcp -m tcp --dport 1080 -j ACCEPT +iptables -I INPUT -p tcp -m tcp --dport 8000 -j ACCEPT +# The default policy, if no other rules match, is to refuse traffic. +iptables -P OUTPUT DROP +iptables -P INPUT DROP