|
|
|---|
| 32 |
# create docker chains if missing |
32 |
# create docker chains if missing |
| 33 |
iptables --wait -L DOCKER > /dev/null 2> /dev/null || iptables --wait -N DOCKER |
33 |
iptables --wait -L DOCKER > /dev/null 2> /dev/null || iptables --wait -N DOCKER |
| 34 |
iptables --wait -L DOCKER -t nat > /dev/null 2> /dev/null || iptables --wait -N DOCKER -t nat |
34 |
iptables --wait -L DOCKER -t nat > /dev/null 2> /dev/null || iptables --wait -N DOCKER -t nat |
| 35 |
iptables --wait -L DOCKER-ISOLATION -t filter > /dev/null 2> /dev/null || iptables --wait -N DOCKER-ISOLATION -t filter |
35 |
iptables --wait -L DOCKER-ISOLATION-STAGE-1 -t filter > /dev/null 2> /dev/null || iptables --wait -N DOCKER-ISOLATION-STAGE-1 -t filter |
|
|
36 |
iptables --wait -L DOCKER-ISOLATION-STAGE-2 -t filter > /dev/null 2> /dev/null || iptables --wait -N DOCKER-ISOLATION-STAGE-2 -t filter |
| 36 |
|
37 |
|
| 37 |
iptables --wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER |
38 |
iptables --wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER |
| 38 |
iptables --wait -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER |
39 |
iptables --wait -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER |
|
|
40 |
|
| 41 |
for NETID in $(docker network ls --filter driver=bridge --format '{{.ID}}'); do |
| 42 |
IF=$(docker network inspect $NETID --format='{{with index .Options "com.docker.network.bridge.name"}}{{.}}{{else}}{{.Id | printf "br-%.12s"}}{{end}}') |
| 43 |
IP=$(docker network inspect $NETID --format='{{range .IPAM.Config}}{{.Subnet}}{{end}}') |
| 44 |
iptables --wait -A FORWARD -o "$IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
| 45 |
iptables --wait -A FORWARD -o "$IF" -j DOCKER |
| 46 |
iptables --wait -A FORWARD -i "$IF" ! -o "$IF" -j ACCEPT |
| 47 |
iptables --wait -A FORWARD -i "$IF" -o "$IF" -j ACCEPT |
| 48 |
iptables --wait -I DOCKER -t nat -i "$IF" -j RETURN |
| 49 |
iptables --wait -t nat -A POSTROUTING -s "$IP" ! -o "$IF" -j MASQUERADE |
| 50 |
iptables --wait -A DOCKER-ISOLATION-STAGE-1 -i "$IF" ! -o "$IF" -j DOCKER-ISOLATION-STAGE-2 |
| 51 |
iptables --wait -A DOCKER-ISOLATION-STAGE-2 -o "$IF" -j DROP |
| 52 |
done |
| 53 |
|
| 39 |
@!@ |
54 |
@!@ |
| 40 |
import ipaddr |
55 |
import ipaddr |
| 41 |
docker0_net = ipaddr.IPv4Network(configRegistry.get('docker/daemon/default/opts/bip', '172.17.42.1/16')) |
56 |
docker0_net = ipaddr.IPv4Network(configRegistry.get('docker/daemon/default/opts/bip', '172.17.42.1/16')) |
| 42 |
docker_compose_net = ipaddr.IPv4Network(configRegistry.get('appcenter/docker/compose/network', '172.16.1.1/16')) |
57 |
docker_compose_net = ipaddr.IPv4Network(configRegistry.get('appcenter/docker/compose/network', '172.16.1.1/16')) |
| 43 |
mysql_port = configRegistry.get('mysql/config/mysqld/port', '3306') |
58 |
mysql_port = configRegistry.get('mysql/config/mysqld/port', '3306') |
| 44 |
print '\tiptables --wait -t nat -A POSTROUTING -s %s/%s ! -o docker0 -j MASQUERADE' % (str(docker0_net.network), str(docker0_net.prefixlen)) |
|
|
| 45 |
print '\tiptables --wait -A INPUT -s %s/%s -p tcp --dport %s -j ACCEPT # allow MySQL for Docker Apps' % (str(docker0_net.network), str(docker0_net.prefixlen), mysql_port) |
59 |
print '\tiptables --wait -A INPUT -s %s/%s -p tcp --dport %s -j ACCEPT # allow MySQL for Docker Apps' % (str(docker0_net.network), str(docker0_net.prefixlen), mysql_port) |
| 46 |
print '\tiptables --wait -A INPUT -s %s/%s -p tcp --dport %s -j ACCEPT # allow MySQL for Docker Compose Apps' % (str(docker_compose_net.network), str(docker_compose_net.prefixlen), mysql_port) |
60 |
print '\tiptables --wait -A INPUT -s %s/%s -p tcp --dport %s -j ACCEPT # allow MySQL for Docker Compose Apps' % (str(docker_compose_net.network), str(docker_compose_net.prefixlen), mysql_port) |
| 47 |
@!@ |
61 |
@!@ |
| 48 |
iptables --wait -A FORWARD -o docker0 -j DOCKER |
62 |
|
| 49 |
iptables --wait -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
63 |
iptables --wait -A DOCKER-ISOLATION-STAGE-1 -j RETURN |
| 50 |
iptables --wait -A FORWARD -i docker0 ! -o docker0 -j ACCEPT |
64 |
iptables --wait -A DOCKER-ISOLATION-STAGE-2 -j RETURN |
| 51 |
iptables --wait -A FORWARD -i docker0 -o docker0 -j ACCEPT |
65 |
iptables --wait -I FORWARD -j DOCKER-ISOLATION-STAGE-1 |
| 52 |
iptables --wait -I DOCKER-ISOLATION -j RETURN |
|
|
| 53 |
iptables --wait -I DOCKER -t nat -i docker0 -j RETURN |
| 54 |
iptables --wait -I FORWARD -j DOCKER-ISOLATION |
| 55 |
} |
66 |
} |
| 56 |
|
67 |
|
| 57 |
nat_container_rule() { |
68 |
nat_container_rule() { |
| 58 |
IP=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' "$1") |
69 |
IP=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$1") |
| 59 |
NETID=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.NetworkID}}{{end}}' "$1") |
70 |
NETID=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.NetworkID}}{{end}}' "$1") |
|
|
71 |
IF=$(docker network inspect $NETID --format='{{with index .Options "com.docker.network.bridge.name"}}{{.}}{{else}}{{.Id | printf "br-%.12s"}}{{end}}') |
| 60 |
|
72 |
|
| 61 |
# convert "443/tcp -> 0.0.0.0:40001" to "443 tcp 0.0.0.0 40001" |
73 |
# convert "443/tcp -> 0.0.0.0:40001" to "443 tcp 0.0.0.0 40001" |
| 62 |
docker port "$1" | sed -re 's#[/>: -]+# #g' | \ |
74 |
docker port "$1" | sed -re 's#[/>: -]+# #g' | \ |
| 63 |
while read localport proto addr containerport ; do |
75 |
while read localport proto addr containerport ; do |
| 64 |
iptables --wait -t nat -A DOCKER ! -i docker0 -p "$proto" --dport "$containerport" -j DNAT --to-destination "$IP:$localport" |
76 |
iptables --wait -t nat -A DOCKER ! -i "$IF" -p "$proto" --dport "$containerport" -j DNAT --to-destination "$IP:$localport" |
| 65 |
iptables --wait -t filter -A DOCKER -d "$IP/32" ! -i docker0 -o docker0 -p "$proto" --dport "$localport" -j ACCEPT |
77 |
iptables --wait -t filter -A DOCKER -d "$IP/32" ! -i "$IF" -o "$IF" -p "$proto" --dport "$localport" -j ACCEPT |
| 66 |
iptables --wait -t nat -A POSTROUTING -s "$IP/32" -d "$IP/32" -p "$proto" --dport "$localport" -j MASQUERADE |
78 |
iptables --wait -t nat -A POSTROUTING -s "$IP/32" -d "$IP/32" -p "$proto" --dport "$localport" -j MASQUERADE |
| 67 |
done |
79 |
done |
| 68 |
} |
80 |
} |