Skip to content

Instantly share code, notes, and snippets.

@imerr
imerr / gist:614e534218a6b93be1a40b088dee885a
Last active June 4, 2024 16:28
cursed ipv6 snat for archiveteam docker containers
# The following is a guide for debian 12 (bookworm), it should work on all modern distros and the concepts will apply to any OS of your choosing
# What this will do is create a dual-stack (so ipv4 and ipv6) docker network you can add to your containers and add NAT for this network so any requests are mapped to a random IP from the specified range
# NOTE: Due to how linux does SNAT (source: http://blog.asiantuntijakaveri.fi/2017/03/linux-snat-with-per-connection-source.html) the outgoing ip SNAT picks is "sticky", linux hashes the source ip and uses that to pick the outgoing IP, in the usual /64 setup it seems to switch between 2 outgoing ips
# The blog post links a kernel patch to change this, but I don't want to get into patching the kernel (here, or at all to be honest).
# I have thought of a workaround to try, adding many SNAT rules with a sub-set of the ip range for each source port (as those should be random), then you'd get ~40k (rough untested guesstimate) ips per container, but I don't kno