2022-07-25 12:42:33 +00:00
|
|
|
#! /bin/bash
|
|
|
|
|
2023-01-05 19:03:25 +00:00
|
|
|
source "/sf/bin/funcs.sh"
|
|
|
|
source "/sf/bin/funcs_net.sh"
|
2022-12-02 08:21:58 +00:00
|
|
|
|
2023-01-05 19:03:25 +00:00
|
|
|
# NOTE: The iptable rules set inside this container are not visible (iptables -S) on the host
|
|
|
|
# even that 'network_mode: host' is set. Yet the rule are working on the host side (Why?).
|
|
|
|
# Furthermore, creating the correct link on the host in /var/run/netns to make the docker namespace
|
|
|
|
# show up in 'ip netns list' and entering the namespace 'ip netns exec' still wont show
|
|
|
|
# the iptable rules set inside this container. (Why?).
|
|
|
|
# See also
|
|
|
|
# - https://stackoverflow.com/questions/31265993/docker-networking-namespace-not-visible-in-ip-netns-list
|
|
|
|
|
2023-01-15 11:24:52 +00:00
|
|
|
# Once
|
|
|
|
ipt()
|
|
|
|
{
|
|
|
|
local first
|
|
|
|
first="$1"
|
|
|
|
|
|
|
|
shift 1
|
|
|
|
iptables -C "$@" 2>/dev/null && return # Rule already exists
|
|
|
|
|
|
|
|
iptables "$first" "$@"
|
|
|
|
}
|
|
|
|
|
2023-01-05 19:03:25 +00:00
|
|
|
# We need to use our own forwarding rules. Docker-compose otherwise spawns a separate process
|
|
|
|
# for _every_ port - which exceeds Docker's own startup timer if to many ports are forwarded
|
|
|
|
# and thus docker-compose will fail to start.
|
|
|
|
#
|
|
|
|
# Forward traffic to docker
|
|
|
|
# [UDP/TCP] [PORT-RANGE] [DSTIP]
|
|
|
|
fw2docker()
|
2022-07-25 12:42:33 +00:00
|
|
|
{
|
2023-01-05 19:03:25 +00:00
|
|
|
local proto
|
|
|
|
local range
|
|
|
|
local dstip
|
|
|
|
proto="$1"
|
|
|
|
range="$2"
|
|
|
|
dstip="$3"
|
2022-07-25 12:42:33 +00:00
|
|
|
|
2023-01-15 11:24:52 +00:00
|
|
|
ipt -I PREROUTING -t nat -i "${dev:?}" -d "${mainip}" -p "${proto}" --dport "${range}" -j DNAT --to-destination "${dstip}"
|
2022-07-25 12:42:33 +00:00
|
|
|
|
2023-01-05 19:03:25 +00:00
|
|
|
[[ -z $SF_DEBUG ]] && return
|
2022-07-25 12:42:33 +00:00
|
|
|
|
2023-01-05 19:03:25 +00:00
|
|
|
# #1 - Special hack when connecting from localhost to 10.0.2.15
|
2023-01-15 11:24:52 +00:00
|
|
|
ipt -I OUTPUT -t nat -o lo -d "${mainip}" -p "${proto}" --dport "${range}" -j DNAT --to-destination "${dstip}"
|
2023-01-05 19:03:25 +00:00
|
|
|
# #2 - When connecting from localhost to 127.0.0.1 (#1 is also required)
|
2023-01-15 11:24:52 +00:00
|
|
|
ipt -I OUTPUT -t nat -o lo -s 127.0.0.1 -d 127.0.0.1 -p "${proto}" --dport "${range}" -j DNAT --to-destination "${dstip}"
|
|
|
|
ipt -A POSTROUTING -t nat -s 127.0.0.1 -d "${dstip}" -p "${proto}" --dport "${range}" -j SNAT --to "${NET_DIRECT_BRIDGE_IP:?}"
|
2023-01-05 19:03:25 +00:00
|
|
|
}
|
2022-07-25 12:42:33 +00:00
|
|
|
|
2023-01-05 19:03:25 +00:00
|
|
|
# This is a hack.
|
|
|
|
# - Docker sets the default route to IP of the host-side of the bridge
|
|
|
|
# - Our 'sf-router' container likes to receive all the traffic instead.
|
|
|
|
# - Remove host's bridge ip address (flush)
|
|
|
|
# - sf-router's init.sh script will take over the IP of host's bridge (and thus receiving all traffic)
|
|
|
|
# An alternative would be to assign a default gw in user's sf-shell
|
|
|
|
# and use nsenter -n to change the default route (without giving NET_ADMIN
|
|
|
|
# to the user).
|
|
|
|
dev=$(DevByIP "${NET_LG_ROUTER_IP:?}")
|
|
|
|
[[ -z $dev ]] && ERREXIT 255 "Failed to find network device on host for NET_LG_ROUTER_IP=$NET_LG_ROUTER_IP"
|
2022-12-02 08:21:58 +00:00
|
|
|
# Remove _any_ ip from the interface. This means LGs can never exit
|
|
|
|
# to the Internet via the host but still route packets to sf-router.
|
|
|
|
# sf-router is taking over the IP NET_LG_ROUTER_IP
|
2023-01-05 19:03:25 +00:00
|
|
|
ip link set "$dev" arp off
|
|
|
|
ip addr flush "$dev"
|
|
|
|
|
|
|
|
mainip=$(GetMainIP)
|
|
|
|
dev=$(DevByIP "${mainip:?}")
|
|
|
|
[[ -z $dev ]] && ERREXIT 255 "Failed to find main network device on host."
|
|
|
|
|
|
|
|
# NET_DIRECT_WG_IP=172.28.0.3
|
|
|
|
# NET_DIRECT_BRIDGE_IP=172.28.0.1
|
|
|
|
# WireGuard forwards to sf-wg
|
2023-01-15 11:24:52 +00:00
|
|
|
|
|
|
|
## NOTE: Flushing POSTROUTING may screw up dns-doh (when dns-doh tries to reconnect)
|
|
|
|
# iptables -t nat -F PREROUTING
|
|
|
|
# iptables -t nat -F OUTPUT
|
|
|
|
# iptables -t nat -F POSTROUTING
|
|
|
|
fw2docker "udp" "32768:65535" "${NET_DIRECT_WG_IP:?}"
|
2023-01-05 19:03:25 +00:00
|
|
|
# MOSH forwards to sf-router (for traffic control)
|
2023-01-15 11:24:52 +00:00
|
|
|
fw2docker "udp" "25002:26023" "${NET_DIRECT_ROUTER_IP:?}"
|
2022-12-22 21:27:20 +00:00
|
|
|
|
2023-01-05 19:03:25 +00:00
|
|
|
[[ -n $SF_DEBUG ]] && sysctl -w "net.ipv4.conf.$(DevByIP "${NET_DIRECT_BRIDGE_IP:?}").route_localnet=1"
|
2022-12-22 21:27:20 +00:00
|
|
|
|
2023-01-05 19:03:25 +00:00
|
|
|
# Keep this running so we can inspect iptables rules (really mostly for debugging only)
|
2023-01-15 11:24:52 +00:00
|
|
|
exec -a '[network-fix] sleep' sleep infinity
|