imerr/gist:614e534218a6b93be1a40b088dee885a Secret

## gistfile1.sh
# this is assuming install on a fresh debian VM, on an existing system you may want to adjust/skip things
# get system up-to-date and install docker (in the future you may want dockers apt repo)
apt update && apt upgrade -y && apt install docker.io apparmor -y
# docker config, the log stuff isn't needed but should be configured anyways
echo '{
  "experimental": true,
  "ip6tables": true,
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "10"
  }
}' > /etc/docker/daemon.json
systemctl restart docker # or reboot if there's kernel updates anyways..

# assuming this is a /64
IPBLOCK="1234:dead:beef:4321"
# add a v6 docker network
docker network create --ipv6 -o "com.docker.network.bridge.enable_ip_masquerade=false" --subnet $IPBLOCK:1::/80 ip6net

# WARNING: below iptables steps don't persist so need to be ran every boot (iptables-save to the rescue!)

# JANK: make ipv4 nat work since enable_ip_masquerade makes docker not do ipv4 stuff..
# this will potentially break things if there's other docker networks running since docker usually hands out 172.x.0.0/16
iptables -t nat -A POSTROUTING -s 172.0.0.0/8 ! -o docker0 -j MASQUERADE
# IPv6 SNAT to make it use a random ip from the whole range :)
ip6tables -t nat -A POSTROUTING -s "$IPBLOCK:1::/80" -j SNAT --to-source $IPBLOCK:2::0-$IPBLOCK:ffff:ffff:ffff:ffff

# TEST if stuff works
docker run -it --network ip6net debian:stable bash
# in the container:
apt update
apt install curl
# this should give different ips if run multiple times
curl https://ipv6.icanhazip.com
	# this is assuming install on a fresh debian VM, on an existing system you may want to adjust/skip things
	# get system up-to-date and install docker (in the future you may want dockers apt repo)
	apt update && apt upgrade -y && apt install docker.io apparmor -y
	# docker config, the log stuff isn't needed but should be configured anyways
	echo '{
	"experimental": true,
	"ip6tables": true,
	"log-driver": "json-file",
	"log-opts": {
	"max-size": "10m",
	"max-file": "10"
	}
	}' > /etc/docker/daemon.json
	systemctl restart docker # or reboot if there's kernel updates anyways..

	# assuming this is a /64
	IPBLOCK="1234:dead:beef:4321"
	# add a v6 docker network
	docker network create --ipv6 -o "com.docker.network.bridge.enable_ip_masquerade=false" --subnet $IPBLOCK:1::/80 ip6net

	# WARNING: below iptables steps don't persist so need to be ran every boot (iptables-save to the rescue!)

	# JANK: make ipv4 nat work since enable_ip_masquerade makes docker not do ipv4 stuff..
	# this will potentially break things if there's other docker networks running since docker usually hands out 172.x.0.0/16
	iptables -t nat -A POSTROUTING -s 172.0.0.0/8 ! -o docker0 -j MASQUERADE
	# IPv6 SNAT to make it use a random ip from the whole range :)
	ip6tables -t nat -A POSTROUTING -s "$IPBLOCK:1::/80" -j SNAT --to-source $IPBLOCK:2::0-$IPBLOCK:ffff:ffff:ffff:ffff

	# TEST if stuff works
	docker run -it --network ip6net debian:stable bash
	# in the container:
	apt update
	apt install curl
	# this should give different ips if run multiple times
	curl https://ipv6.icanhazip.com