Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Script to fix Docker iptables on Synology NAS
#!/bin/bash
currentAttempt=0
totalAttempts=10
delay=15
while [ $currentAttempt -lt $totalAttempts ]
do
currentAttempt=$(( $currentAttempt + 1 ))
echo "Attempt $currentAttempt of $totalAttempts..."
result=$(iptables-save)
if [[ $result =~ "-A DOCKER -i docker0 -j RETURN" ]]; then
echo "Docker rules found! Modifying..."
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
echo "Done!"
break
fi
echo "Docker rules not found! Sleeping for $delay seconds..."
sleep $delay
done
@pedrolamas

This comment has been minimized.

Copy link
Owner Author

@pedrolamas pedrolamas commented Aug 18, 2020

Instructions

  • Open DSM on your Synology NAS
  • Open Control Panel and click on Task Scheduler
  • Click Create button, Triggered Task, User defined script
  • Give it a name, select "root" for User and "Boot-up" for Event, tick Enabled
  • Click Task Settings, paste the above script on the User-defined script
  • Click OK button and you're done!

The script will run after every reboot and should survive any updates of DSM!

More info

Please check the following post:

https://www.pedrolamas.com/2020/11/04/exposing-the-client-ips-to-docker-containers-on-synology-nas/

@soflane

This comment has been minimized.

Copy link

@soflane soflane commented Nov 4, 2020

I don't know you but I already love you!
Thanks for the fix, you saved my night !

@TimmermanTim

This comment has been minimized.

Copy link

@TimmermanTim TimmermanTim commented Feb 17, 2021

Thanks a lot! This fixed my issue with Authelia and Traefik not seeing the real originating IP!

@hanjuq

This comment has been minimized.

Copy link

@hanjuq hanjuq commented Mar 11, 2021

I transferred my perfectly working linuxserver/swag container (I love it!) from Debian to Synology NAS and ran into the same issue.

Pedrolamas' solution solved my first fail2ban problem with 172.17.0.1 host in nginx access.log.
Thanks a lot for this!!!

Now fail2ban tries to ban the correct external IP. The word "tries" points to the next problem. But that's stuff for next weekend.

@lilws

This comment has been minimized.

Copy link

@lilws lilws commented Apr 9, 2021

This is awesome, I'm trying to figure out why my torrent can't catch peers for download, and figure out that NAT is the main problem in docker.

Thanks a lot!

@flo-mic

This comment has been minimized.

Copy link

@flo-mic flo-mic commented Apr 11, 2021

@pedrolamas many thanks for the script. It helped me a lot. I had to make some adaptions to it as some default iptable rules seems to miss in my system (I use default config, noting special here, quite strange...). So if someone else has problems with the script please try the following one. It is nearly the same but just waits for another iptable rule.

This one was tested under Synology DSM 6.2.4-2556 on a 916+

#!/bin/bash
currentAttempt=0
totalAttempts=10
delay=15

while [ $currentAttempt -lt $totalAttempts ]
do
	currentAttempt=$(( $currentAttempt + 1 ))
	
	echo "Attempt $currentAttempt of $totalAttempts..."
	
	result=$(iptables-save)

	if [[ $result =~ "-A DEFAULT_FORWARD -i docker0 -o docker0 -j ACCEPT" ]]; then
		echo "Docker rules found! Modifying..."
		
		iptables -t nat -A PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
		iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
		
		echo "Done!"
		
		break
	fi
	
	echo "Docker rules not found! Sleeping for $delay seconds..."
	
	sleep $delay
done
@pedrolamas

This comment has been minimized.

Copy link
Owner Author

@pedrolamas pedrolamas commented Apr 12, 2021

Thank you for sharing that @flo-mic! Guess I need to revisit this and try to find a better rule that would cover more cases! 🙂

@techhitnz

This comment has been minimized.

Copy link

@techhitnz techhitnz commented Apr 28, 2021

Thank you so much for this.

@cavery-git

This comment has been minimized.

Copy link

@cavery-git cavery-git commented May 6, 2021

This fixed my issue. I can now see the client IP addresses in pi-hole running in Docker on my Synology NAS. Thank you!

@WellWells

This comment has been minimized.

Copy link

@WellWells WellWells commented Jun 30, 2021

This does really fix the client resolve problem for ADH in docker.
Really thank you. 😄

@ben-ba

This comment has been minimized.

Copy link

@ben-ba ben-ba commented Aug 28, 2021

Was the fix here also, but 3 things;

  1. The second rule never match, so it is useless
  2. The table filter is also blank at the chain FORWARD compared to another - not synology docker installation.
  3. Why are all packages got masquerade without these rule?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment