Skip to content

Instantly share code, notes, and snippets.

@pedrolamas

pedrolamas/docker-iptables-fix.sh

Created August 18, 2020 19:32
Show Gist options
  • Save pedrolamas/db809a2b9112166da4a2dbf8e3a72ae9 to your computer and use it in GitHub Desktop.
Save pedrolamas/db809a2b9112166da4a2dbf8e3a72ae9 to your computer and use it in GitHub Desktop.
Download ZIP
Script to fix Docker iptables on Synology NAS
Raw
docker-iptables-fix.sh
#!/bin/bash
currentAttempt=0
totalAttempts=10
delay=15
while [ $currentAttempt -lt $totalAttempts ]
do
currentAttempt=$(( $currentAttempt + 1 ))
echo "Attempt $currentAttempt of $totalAttempts..."
result=$(iptables-save)
if [[ $result =~ "-A DOCKER -i docker0 -j RETURN" ]]; then
echo "Docker rules found! Modifying..."
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
echo "Done!"
break
fi
echo "Docker rules not found! Sleeping for $delay seconds..."
sleep $delay
done
@erwinkramer
Copy link

Thanks @jackmaninov, stumbled on this issue as well. For me, just adding the extra OUTPUT rules works. See my full setup with the change here: erwinkramer/synology-nas-bootstrapper@6066be0#diff-d8aec230d20a8c2cc9b6c6244fb645c874eac419d6095403391d7f15a37a553d (just the change to configuredocker.sh).

I only got this issue after i did a complete reinstall of Container Manager, to 24.0.2-1543. An in-place update (to the same version), that i did before, didn't seem like it required the OUTPUT rework, but i had some other issues so i reinstalled Container Manager, which resulted in this updated behavior as well.

@celticslment
Copy link

Ha tenido problemas similares desde que actualizó Synology Container Manager 3 e intentó configurar automáticamente el proxy con Web Station. Aunque Container Manager podría enviar la dirección 172.xxx de un contenedor a Web Station, parece enviar 127.0.0.1 y supone un reenvío de puerto operativo, lo cual no funciona.

Desde Container Manager 3 parece que es necesario agregar una regla de SALIDA:

iptables -t nat -A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER

Además, la prueba en OP para ver si se han aplicado las reglas de Docker ya no funciona, actualmente estoy usando:

if [[ $result =~ "DOCKER-USER" ]]; then

Espero que esto ayude a la gente, me he estado tirando de los pelos intentando que esto funcione.

Could you pass the complete script? I can't get any of the options listed here to work.

@jackmaninov
Copy link

Could you pass the complete script? I can't get any of the options listed here to work.

#!/bin/bash
currentAttempt=0
totalAttempts=10
delay=15
sleep 60
while [ $currentAttempt -lt $totalAttempts ]
do
	currentAttempt=$(( $currentAttempt + 1 ))
	
	echo "Attempt $currentAttempt of $totalAttempts..."
	
	result=$(iptables-save)

	if [[ $result =~ "DOCKER-USER" ]]; then
		echo "Docker rules found! Modifying..."
		
		iptables -t nat -A PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
                #iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER  # seems unnecessary
                iptables -t nat -A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
		
		echo "Done!"
		
		break
	fi
	
	echo "Docker rules not found! Sleeping for $delay seconds..."
	
	sleep $delay
done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment