Last active
September 22, 2024 16:47
-
-
Save LordVeovis/f3d3d9e0e15bf3c224c42863de883131 to your computer and use it in GitHub Desktop.
multihoming selectif on specific docker container
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # to restart properly: | |
| # ip l d wg0 && systemctl restart systemd-networkd && netplan apply | |
| # debugger wireguard sur kernel Lockdown (SecureBoot): modprobe -r wireguard && modprobe wireguard dyndbg | |
| network: | |
| version: 2 | |
| tunnels: | |
| wg0: | |
| mode: wireguard | |
| key: PKEY_DOCKER_HOST | |
| addresses: [192.18.0.3/29] | |
| peers: | |
| - endpoint: remote_endpoint:51820 | |
| keys: | |
| public: PUBKEY_VPS | |
| shared: RANDOM_A | |
| allowed-ips: [0.0.0.0/0] # ip of wg0 incoming packets, here whole internet | |
| keepalive: 25 | |
| routing-policy: # must be in the first netplan file only | |
| - mark: 8 | |
| table: 45 | |
| routes: # create the alternative routing table | |
| - to: 0.0.0.0/0 | |
| via: 192.18.0.1 | |
| table: 45 | |
| on-link: true | |
| - to: 192.18.0.0/29 | |
| table: 45 | |
| scope: link | |
| on-link: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/nft -f | |
| # ensure the rules are reloaded on startup with: | |
| # systemctl enable nftables | |
| table inet filter {} | |
| flush table inet filter | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority -10; policy drop; | |
| ct state { established, related } counter accept | |
| ct state invalid counter drop | |
| iifname lo counter accept | |
| icmp type echo-request counter accept | |
| icmpv6 type echo-request counter accept | |
| tcp dport ssh limit rate 20/second counter accept | |
| [...] | |
| pkttype unicast limit rate 20/second log prefix "in: " counter | |
| } | |
| chain forward { | |
| type filter hook forward priority 10; policy accept | |
| oifname enp1s0 ip saddr 172.18.253.1 ip dscp set 8 # obsoleted by ip rule | |
| ct state { established, related } counter accept | |
| ct state invalid counter drop | |
| icmp type echo-request counter accept | |
| icmpv6 type echo-request counter accept | |
| ip saddr 172.18.253.0/29 oifname != "wg0" counter drop # if wg0 is down | |
| [...] | |
| pkttype unicast limit rate 20/second log prefix "fwd: " counter | |
| } | |
| chain prerouting-fwd { | |
| type filter hook prerouting priority mangle; policy accept; | |
| ip saddr 172.18.253.1 ct state new ct mark set 8 counter # add mark on connection | |
| ip saddr 172.18.253.1 meta mark set ct mark # copy marck from connection to packet. ip rule only match packet mark | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ensure the rules are loaded at startup with: | |
| # systemctl enable netfilter-persistent.service | |
| # Generated by iptables-save v1.8.7 on Sat Sep 21 17:23:46 2024 | |
| *mangle | |
| :PREROUTING ACCEPT [739218:96636892] | |
| :INPUT ACCEPT [278094:40497506] | |
| :FORWARD ACCEPT [458702:54340460] | |
| :OUTPUT ACCEPT [241103:41837548] | |
| :POSTROUTING ACCEPT [535629:79288433] | |
| -A FORWARD -i ens3 -o gre2 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
| -A FORWARD -i ens3 -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
| COMMIT | |
| # Completed on Sat Sep 21 17:23:46 2024 | |
| # Generated by iptables-save v1.8.7 on Sat Sep 21 17:23:46 2024 | |
| *filter | |
| :INPUT ACCEPT [23947:1590420] | |
| :FORWARD DROP [161183:16707147] | |
| :OUTPUT ACCEPT [240819:41810895] | |
| :f2b-sshd - [0:0] | |
| -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
| -A INPUT -p icmp -m icmp --icmp-type 13 -j DROP | |
| -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
| -A INPUT -p udp -m udp --dport 51820 -m comment --comment wg -j ACCEPT | |
| -A INPUT -j LOG --log-prefix "in: " | |
| -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A FORWARD -m conntrack --ctstate INVALID -j DROP | |
| -A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
| -A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT | |
| -A FORWARD -s 192.18.0.3/32 -i wg0 -o ens3 -m comment -j ACCEPT | |
| -A FORWARD -j LOG --log-prefix "fwd: " | |
| COMMIT | |
| # Completed on Sat Sep 21 17:23:46 2024 | |
| # Generated by iptables-save v1.8.7 on Sat Sep 21 17:23:46 2024 | |
| *nat | |
| :PREROUTING ACCEPT [103860:7417160] | |
| :INPUT ACCEPT [45317:2256148] | |
| :OUTPUT ACCEPT [1969:152842] | |
| :POSTROUTING ACCEPT [12008:798804] | |
| -A PREROUTING -p tcp -m tcp --dport 6881 -j DNAT --to-destination 192.168.45.60 --random # do you need to open ports? | |
| -A PREROUTING -p udp -m udp --dport 6881 -j DNAT --to-destination 192.168.45.60 --random | |
| -A POSTROUTING -s 192.18.0.0/29 -o ens3 -j MASQUERADE # packet from the container will be SNAT here, before going on the internet | |
| COMMIT | |
| # Completed on Sat Sep 21 17:23:46 2024 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| network: | |
| version: 2 | |
| tunnels: | |
| wg0: | |
| mode: wireguard | |
| port: 51820 | |
| key: PKEY_VPS | |
| addresses: | |
| - 192.18.0.1/29 | |
| peers: | |
| - allowed-ips: [172.18.253.0/28,192.18.0.3/32,192.168.45.60/32] # ip of wg0 incoming packets, here only the selected containers | |
| keys: | |
| public: PUBKEY_DOCKER_HOST | |
| shared: RANDOM_A | |
| routes: | |
| - to: 192.168.45.0/24 | |
| metric: 10 | |
| - to: 172.18.253.0/28 # so the response packet are correctly routed |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| services: | |
| deluge: | |
| image: linuxserver/image | |
| ports: | |
| - 6881:6881 | |
| - 6881:6881/udp | |
| - 8112:8112 | |
| # fix the network so we can distinguished theses packets in the fw | |
| networks: | |
| default: | |
| ipam: | |
| driver: default | |
| config: | |
| - subnet: 172.18.253.0/28 | |
| gateway: 172.18.253.14 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment