Created
December 4, 2018 17:12
-
-
Save mikeggrant-eumetsat/12d9effdfa6fada08848d50819e6e0f9 to your computer and use it in GitHub Desktop.
This sets up iptables rules to mangle packets from a docker network to the host's mail daemon (locked to localhost) ; used for a rocketchat, but easy to modify
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # we want a rocketchat in a docker container to be able to access this machine's mailer daemon | |
| # but it only accepts connections on the local interface (127.0.0.1) | |
| # we can't change the mailer config, because that belongs to someone else and they'd be annoyed | |
| # so we forward packets from this machine's docker network interface to localhost | |
| # This script sets up the necessary packet mangling | |
| # if our argument is "delete", then remove rules | |
| if [ "$1" == "delete" ] ; then | |
| ROUTING_ENABLE_OR_DISABLE=0 | |
| RULE_ADD_DEL="--delete" | |
| CHECK_RESULT_FOR_ACTION=1 | |
| else | |
| ROUTING_ENABLE_OR_DISABLE=1 | |
| RULE_ADD_DEL="--insert" | |
| CHECK_RESULT_FOR_ACTION=0 | |
| fi | |
| # identify the IP of the gateway on the rocketchat's network (we are the gateway) | |
| ROCKET_GW_IP=$(docker network inspect rocketchat_default | jq --raw-output '.[0].IPAM.Config[0].Gateway') | |
| # find the name of the relevant interface | |
| ROCKET_IFACE=$(ip addr | grep ${ROCKET_GW_IP} | sed 's/.*global //') | |
| # get the IP of the rocket chat container | |
| ROCKET_CONTAINER_IP=$(docker container inspect rocketchat |jq --raw-output '.[0].NetworkSettings.Networks.rocketchat_default.IPAddress') | |
| # routing of non-localhost network packets to localhost, for this interface only | |
| # otherwise the kernel refuses the connection | |
| sysctl net.ipv4.conf.${ROCKET_IFACE}.route_localnet=${ROUTING_ENABLE_OR_DISABLE} > /dev/null | |
| # this rule forwards packets from the docker network interface to localhost, for the SMTP port | |
| IPTABLES_RULE_ARGS="PREROUTING --table nat --protocol tcp --in-interface ${ROCKET_IFACE} --dest ${ROCKET_GW_IP} --dport 25 --jump DNAT --to 127.0.0.1:25" | |
| # see if we need to add a rule and do so if it doesn't already exist | |
| iptables --check ${IPTABLES_RULE_ARGS} 2> /dev/null | |
| if [[ $? != ${CHECK_RESULT_FOR_ACTION} ]] ; then | |
| iptables ${RULE_ADD_DEL} ${IPTABLES_RULE_ARGS} | |
| fi | |
| # this rule disguises the source address, because the mailer daemon won't relay for non localhost IPs | |
| IPTABLES_RULE_ARGS="INPUT --table nat --protocol tcp --src ${ROCKET_CONTAINER_IP} --dport 25 -j SNAT --to 127.0.0.3" | |
| # see if we need to add a rule and do so if it doesn't already exist | |
| iptables --check ${IPTABLES_RULE_ARGS} 2> /dev/null | |
| if [[ $? != ${CHECK_RESULT_FOR_ACTION} ]] ; then | |
| iptables ${RULE_ADD_DEL} ${IPTABLES_RULE_ARGS} | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment