Digital DigitalDwagon
imerr
/ gist:614e534218a6b93be1a40b088dee885a
Last active
June 4, 2024 16:28
cursed ipv6 snat for archiveteam docker containers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The following is a guide for debian 12 (bookworm), it should work on all modern distros and the concepts will apply to any OS of your choosing | |
| # What this will do is create a dual-stack (so ipv4 and ipv6) docker network you can add to your containers and add NAT for this network so any requests are mapped to a random IP from the specified range | |
| # NOTE: Due to how linux does SNAT (source: http://blog.asiantuntijakaveri.fi/2017/03/linux-snat-with-per-connection-source.html) the outgoing ip SNAT picks is "sticky", linux hashes the source ip and uses that to pick the outgoing IP, in the usual /64 setup it seems to switch between 2 outgoing ips | |
| # The blog post links a kernel patch to change this, but I don't want to get into patching the kernel (here, or at all to be honest). | |
| # I have thought of a workaround to try, adding many SNAT rules with a sub-set of the ip range for each source port (as those should be random), then you'd get ~40k (rough untested guesstimate) ips per container, but I don't kno |