Univention Bugzilla – Attachment 10176 Details for
Bug 50088
iptables rules broken after reboot for docker-compose (e.g. Guacamole)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
univention-firewall docker rules patch V2
20_docker.patch (text/plain), 4.65 KB, created by
Daniel Krüger
on 2019-09-07 16:28:31 CEST
(
hide
)
Description:
univention-firewall docker rules patch V2
Filename:
MIME Type:
Creator:
Daniel Krüger
Created:
2019-09-07 16:28:31 CEST
Size:
4.65 KB
patch
obsolete
>--- univention/templates/files/etc/security/packetfilter.d/20_docker.sh.org 2019-09-07 15:14:58.322496037 +0200 >+++ univention/templates/files/etc/security/packetfilter.d/20_docker.sh 2019-09-07 15:08:23.654493803 +0200 >@@ -32,36 +32,53 @@ > # create docker chains if missing > iptables --wait -L DOCKER > /dev/null 2> /dev/null || iptables --wait -N DOCKER > iptables --wait -L DOCKER -t nat > /dev/null 2> /dev/null || iptables --wait -N DOCKER -t nat >- iptables --wait -L DOCKER-ISOLATION -t filter > /dev/null 2> /dev/null || iptables --wait -N DOCKER-ISOLATION -t filter >+ iptables --wait -L DOCKER-ISOLATION-STAGE-1 -t filter > /dev/null 2> /dev/null || iptables --wait -N DOCKER-ISOLATION-STAGE-1 -t filter >+ iptables --wait -L DOCKER-ISOLATION-STAGE-2 -t filter > /dev/null 2> /dev/null || iptables --wait -N DOCKER-ISOLATION-STAGE-2 -t filter > > iptables --wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER > iptables --wait -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER >+ >+ for NETID in $(docker network ls --filter driver=bridge --format '{{.ID}}'); do >+ IF=$(docker network inspect $NETID --format='{{with index .Options "com.docker.network.bridge.name"}}{{.}}{{else}}{{.Id | printf "br-%.12s"}}{{end}}') >+ IP=$(docker network inspect $NETID --format='{{range .IPAM.Config}}{{.Subnet}}{{end}}') >+ iptables --wait -A FORWARD -o "$IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >+ iptables --wait -A FORWARD -o "$IF" -j DOCKER >+ iptables --wait -A FORWARD -i "$IF" ! -o "$IF" -j ACCEPT >+ iptables --wait -A FORWARD -i "$IF" -o "$IF" -j ACCEPT >+ iptables --wait -I DOCKER -t nat -i "$IF" -j RETURN >+ iptables --wait -t nat -A POSTROUTING -s "$IP" ! -o "$IF" -j MASQUERADE >+ iptables --wait -A DOCKER-ISOLATION-STAGE-1 -i "$IF" ! -o "$IF" -j DOCKER-ISOLATION-STAGE-2 >+ iptables --wait -A DOCKER-ISOLATION-STAGE-2 -o "$IF" -j DROP >+ done >+ > @!@ > import ipaddr > docker0_net = ipaddr.IPv4Network(configRegistry.get('docker/daemon/default/opts/bip', '172.17.42.1/16')) > docker_compose_net = ipaddr.IPv4Network(configRegistry.get('appcenter/docker/compose/network', '172.16.1.1/16')) > mysql_port = configRegistry.get('mysql/config/mysqld/port', '3306') >-print '\tiptables --wait -t nat -A POSTROUTING -s %s/%s ! -o docker0 -j MASQUERADE' % (str(docker0_net.network), str(docker0_net.prefixlen)) > print '\tiptables --wait -A INPUT -s %s/%s -p tcp --dport %s -j ACCEPT # allow MySQL for Docker Apps' % (str(docker0_net.network), str(docker0_net.prefixlen), mysql_port) > print '\tiptables --wait -A INPUT -s %s/%s -p tcp --dport %s -j ACCEPT # allow MySQL for Docker Compose Apps' % (str(docker_compose_net.network), str(docker_compose_net.prefixlen), mysql_port) > @!@ >- iptables --wait -A FORWARD -o docker0 -j DOCKER >- iptables --wait -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >- iptables --wait -A FORWARD -i docker0 ! -o docker0 -j ACCEPT >- iptables --wait -A FORWARD -i docker0 -o docker0 -j ACCEPT >- iptables --wait -I DOCKER-ISOLATION -j RETURN >- iptables --wait -I DOCKER -t nat -i docker0 -j RETURN >- iptables --wait -I FORWARD -j DOCKER-ISOLATION >+ >+ iptables --wait -A DOCKER-ISOLATION-STAGE-1 -j RETURN >+ iptables --wait -A DOCKER-ISOLATION-STAGE-2 -j RETURN >+ iptables --wait -I FORWARD -j DOCKER-ISOLATION-STAGE-1 > } > > nat_container_rule() { >- IP=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' "$1") >+ IP=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$1") >+ NETID=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.NetworkID}}{{end}}' "$1") >+ IF=$(docker network inspect $NETID --format='{{with index .Options "com.docker.network.bridge.name"}}{{.}}{{else}}{{.Id | printf "br-%.12s"}}{{end}}') > > # convert "443/tcp -> 0.0.0.0:40001" to "443 tcp 0.0.0.0 40001" > docker port "$1" | sed -re 's#[/>: -]+# #g' | \ > while read localport proto addr containerport ; do >- iptables --wait -t nat -A DOCKER ! -i docker0 -p "$proto" --dport "$containerport" -j DNAT --to-destination "$IP:$localport" >- iptables --wait -t filter -A DOCKER -d "$IP/32" ! -i docker0 -o docker0 -p "$proto" --dport "$localport" -j ACCEPT >+ if [ "$addr" != "0.0.0.0" ] ; then >+ iptables --wait -t nat -A DOCKER ! -i "$IF" -p "$proto" --destination "$addr/32" --dport "$containerport" -j DNAT --to-destination "$IP:$localport" >+ else >+ iptables --wait -t nat -A DOCKER ! -i "$IF" -p "$proto" --dport "$containerport" -j DNAT --to-destination "$IP:$localport" >+ fi >+ iptables --wait -t filter -A DOCKER -d "$IP/32" ! -i "$IF" -o "$IF" -p "$proto" --dport "$localport" -j ACCEPT > iptables --wait -t nat -A POSTROUTING -s "$IP/32" -d "$IP/32" -p "$proto" --dport "$localport" -j MASQUERADE > done > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10176">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 50088
:
10170
| 10176