Skip to content

Instantly share code, notes, and snippets.

@mbartsch
Last active December 30, 2021 20:41
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save mbartsch/5f0b0ab414d3e901f38388792a88321c to your computer and use it in GitHub Desktop.
Docker + IPv6 + ip6tables + dhcpcd

This is how I manage docker with ipv6 and dhcp-pd in arch linux

/etc/dhcpcd.conf

  duid
  persistent
  option rapid_commit
  option classless_static_routes
  option ntp_servers
  option interface_mtu
  require dhcp_server_identifier
  slaac private
  ipv6only
  noipv6rs
  interface INTERNETIF
    ipv6rs
    iaid 1
    ia_pd 1 LANIF/0/64 docker1/2/64

/etc/iptables/ip6tables.rules

# Generated by ip6tables-save v1.6.1 on Mon Apr 10 23:59:06 2017
*nat
:PREROUTING ACCEPT [16256:2921441]
:INPUT ACCEPT [21:1749]
:OUTPUT ACCEPT [1579:129828]
:POSTROUTING ACCEPT [17166:2996983]
:DOCKERNATPOST - [0:0]
:DOCKERNATPRE - [0:0]
-A POSTROUTING -j DOCKERNATPOST
-A PREROUTING -j DOCKERNATPRE
-A OUTPUT -j DOCKERNATPRE
COMMIT
*filter
:INPUT ACCEPT [8:1558]
:FORWARD ACCEPT [602:50934]
:OUTPUT ACCEPT [2115:172583]
:INTERNET - [0:0]
-A INPUT -m udp -p udp --dport 546 -j ACCEPT
-A INPUT -m udp -p udp --dport 547 -j ACCEPT
-A INPUT -i INTERNETIF -j INTERNET
-A FORWARD -i INTERNETIF -j INTERNET
-A INTERNET -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INTERNET -p tcp -m tcp --dport 443 -j ACCEPT
-A INTERNET -p tcp -m tcp --dport 80 -j ACCEPT
-A INTERNET -p tcp -m tcp --dport 22 -j ACCEPT
-A INTERNET -p ipv6-icmp -j ACCEPT
-A INTERNET -p icmpv6 -j ACCEPT
-A INTERNET -j DROP
COMMIT
# Completed on Mon Apr 10 23:14:13 2017

/usr/lib/dhcpcd/dhcpcd-hooks/99-setipv6dockernat

#!/bin/bash -x
# Get your IPV6 private prefix from
# http://simpledns.com/private-ipv6.aspx
IPV6PRIVATEPREFIX="PrivatePrefix/64"
DOCKERIF="docker1"

case "$reason" in
CARRIER)
   if [ ${interface} == ${DOCKERIF} ] ; then
     ip6tables -D DOCKERNATPOST
     ip6tables -D DOCKERNATPRE
   fi
   ;;
REBIND6)
   if [ ${interface} == ${DOCKERIF} ] ; then
     ip6tables -t nat -A DOCKERNATPRE -d ${new_delegated_dhcp6_prefix} -j NETMAP --to ${IPV6PRIVATEPREFIX}
     ip6tables -t nat -A DOCKERNATPOST -s ${IPV6PRIVATEPREFIX} -j NETMAP --to ${new_delegated_dhcp6_prefix}
   fi
   echo "SAMPLE::::"
   export
   echo "Parameters $*"
   ;;
esac
exit 0

As I use docker-compose to start my bridge, I have this in my config file:

version: '2.1'

networks:

  default:
    driver: bridge
    enable_ipv6: true
    driver_opts:
      com.docker.network.bridge.name: "docker1"
    ipam:
      driver: default
      config:
        - subnet: 172.33.0.0/24
          gateway: 172.33.0.1
          ip_range: 172.33.0.192/26
        - subnet: PrivatePrefix/64
          gateway: PrivatePrefix::1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment