DOCKER IP LINUX DEFAULT HOW TO
When researching how to do this I sometimes has to lookup how routing and filtering actually works on Linux. After stopping docker and setting the option to false I started the container again and applied the copied rules manually again.
Before doing this I first copied the rules from IPtables when all containers are running. That way docker does not touch the IPtables rules. If you want to have a network configuration which does not change you should set "iptables": false in /etc/docker/daemon.json. We are restricting this to a flow between vpn ↔ tun0.
A IPtables rule like iptables -I DOCKER-USER -i src_if -o dst_if -j REJECT describes how packets are allowed to flow. Basically we are acting here like a router. You can read more about this in the manual. So if you want to add rules to the FORWARD chain you have to add the rules to DOCKER-USER instead such that they are not overwritten. Docker overwrites the iptables configuration when it starts. IPtables rules are a bit of a pain with docker. If the OpenVPN process is stopped then the curl should timeout. Running curl -4 inside the container should now show the IP you have when tunneling your traffic through the VPN. These rules usually live at /etc/iptables/rules.v4. The last line is needed such that existing connections are accepted. Traffic to and from the local network is also allowed. In Docker Compose v2.0.0 it appears to silently continue using the old network configuration binding to 0.0.0.5 6 # Checks to see if there is an IP routing table named 'vpn', create if missing 7 if then 8 echo "100 vpn" > /etc/iproute2/rt_tablesĩ fi 10 11 # Remove any previous routes in the 'vpn' routing table 12/bin/ip rule | /bin/sed -n 's/.*\(from**\).*vpn/\1/p' | while read RULEġ3 do 14 /bin/ip rule del $ table vpnģ0 31 # Local traffic should go through eth0 32 /bin/ip route add $local_net dev eth0 table vpnģ3 34 # Traffic to docker network should go to docker vpn network 35 /bin/ip route add $docker_net dev vpn table vpnģ 4iptables -I DOCKER-USER -i vpn ! -o tun0 -j REJECT -reject-with icmp-port-unreachableĥiptables -I DOCKER-USER -i vpn -o vpn -j ACCEPTĦiptables -I DOCKER-USER -i vpn -d $local_network -j ACCEPTħiptables -I DOCKER-USER -s $local_network -o vpn -j ACCEPTĨiptables -I DOCKER-USER -m conntrack -ctstate ESTABLISHED,RELATED -j ACCEPTīasically what this script says is that if traffic is coming from vpn and is routed through tun0 then reject it. If you forgot to do this in Docker Compose v1, it printed an error saying the network settings in the project and the daemon were different and conflicted. NOTE/WARNING: Like in the comment, you need to delete your pre-existing Docker networks after applying this patch. + for name, conf in ems(): + if conf.driver and conf.driver != "bridge": + continue + conf.driver_opts = conf.driver_opts if conf.driver_opts is not None else +
Networks = Network(client, name, 'default') a/compose/network.py +++ b/compose/network.py -256,6 +256,12 def build_networks(name, config_data, client): ".name": "docker0 ",Īnd that's explains that create a new network with the option ".host_binding_ipv4"="192.168.17.1" can solve this problem as well.ĭiff -git a/compose/network.py b/compose/network.py
0 kommentar(er)
