Created
April 8, 2016 10:36
-
-
Save amon-ra/51f811d659e1924f41da9f1cad450f72 to your computer and use it in GitHub Desktop.
Script to insert custom rules before docker processing.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Usage: | |
| # timeout 10 docker_iptables.sh | |
| # | |
| # Use the builtin shell timeout utility to prevent infinite loop (see below) | |
| IPTABLES_FILE="rules" | |
| if [ ! -x /usr/bin/docker ]; then | |
| exit | |
| fi | |
| # Check if the PRE_DOCKER chain exists, if it does there's an existing reference to it. | |
| iptables -C FORWARD -j PRE_DOCKER | |
| if [ $? -eq 0 ]; then | |
| # Remove reference (will be re-added again later in this script) | |
| iptables -D FORWARD -j PRE_DOCKER | |
| # Flush all existing rules | |
| iptables -F PRE_DOCKER | |
| else | |
| # Create the PRE_DOCKER chain | |
| iptables -N PRE_DOCKER | |
| fi | |
| # Default action | |
| iptables -I PRE_DOCKER -j RETURN | |
| # Double check, wait for docker socket (upstart docker.conf already does this) | |
| while [ ! -e "/var/run/docker.sock" ]; do echo "Waiting for /var/run/docker.sock..."; sleep 1; done | |
| declare -A network | |
| declare -A container | |
| eval "network=( $(docker network ls |sed '1d' | tr -s ' ' | awk '{printf ("[%s]=br-%s ",$2,$1)}') )" | |
| for i in $(docker inspect -f '{{ $name := .Name }}{{range $key,$val := .NetworkSettings.Networks}}container["{{$name}}",{{ $key }}]={{ $val.IPAddress }} {{end}}' $(docker ps -aq)) | |
| do | |
| eval $i | |
| done | |
| while IFS='' read -r line || [[ -n "$line" ]]; do | |
| [[ "$line" =~ ^#.*$ ]] && continue | |
| [ -z "$(echo $line | tr -s '')" ] && continue | |
| eval "iptables -I PRE_DOCKER $line" | |
| #echo "iptables -I PRE_DOCKER $line" | |
| done < $IPTABLES_FILE | |
| #contention tracking | |
| iptables -I PRE_DOCKER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Finally insert the PRE_DOCKER table before the DOCKER table in the FORWARD chain. | |
| iptables -I FORWARD -j PRE_DOCKER | |
| alpine:~# cat docker-iptables.sh | |
| #!/usr/bin/env bash | |
| # Usage: | |
| # timeout 10 docker_iptables.sh | |
| # | |
| # Use the builtin shell timeout utility to prevent infinite loop (see below) | |
| IPTABLES_FILE="rules" | |
| if [ ! -x /usr/bin/docker ]; then | |
| exit | |
| fi | |
| # Check if the PRE_DOCKER chain exists, if it does there's an existing reference to it. | |
| iptables -C FORWARD -j PRE_DOCKER | |
| if [ $? -eq 0 ]; then | |
| # Remove reference (will be re-added again later in this script) | |
| iptables -D FORWARD -j PRE_DOCKER | |
| # Flush all existing rules | |
| iptables -F PRE_DOCKER | |
| else | |
| # Create the PRE_DOCKER chain | |
| iptables -N PRE_DOCKER | |
| fi | |
| # Default action | |
| iptables -I PRE_DOCKER -j RETURN | |
| # Double check, wait for docker socket (upstart docker.conf already does this) | |
| while [ ! -e "/var/run/docker.sock" ]; do echo "Waiting for /var/run/docker.sock..."; sleep 1; done | |
| declare -A network | |
| declare -A container | |
| eval "network=( $(docker network ls |sed '1d' | tr -s ' ' | awk '{printf ("[%s]=br-%s ",$2,$1)}') )" | |
| for i in $(docker inspect -f '{{ $name := .Name }}{{range $key,$val := .NetworkSettings.Networks}}container["{{$name}}",{{ $key }}]={{ $val.IPAddress }} {{end}}' $(docker ps -aq)) | |
| do | |
| eval $i | |
| done | |
| #echo ${network[www]} | |
| #exit | |
| while IFS='' read -r line || [[ -n "$line" ]]; do | |
| [[ "$line" =~ ^#.*$ ]] && continue | |
| [ -z "$(echo $line | tr -s '')" ] && continue | |
| eval "iptables -I PRE_DOCKER $line" | |
| #echo "iptables -I PRE_DOCKER $line" | |
| done < $IPTABLES_FILE | |
| #contention tracking | |
| iptables -I PRE_DOCKER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Finally insert the PRE_DOCKER table before the DOCKER table in the FORWARD chain. | |
| iptables -I FORWARD -j PRE_DOCKER |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment