qpwo/compose.yaml

## compose.yaml
# Do `docker compose up`, then on host run:
# iptables -I DOCKER-USER -s 10.0.1.0/24 -o br-$INTERNAL_NETWORK_ID -j LOG_ACCEPT
# iptables -I DOCKER-USER -d 10.0.1.0/24 -i br-$INTERNAL_NETWORK_ID -j LOG_ACCEPT
# You will see the pings succeeding.

version: "3"

services:
  proxy_cntnr:
    container_name: proxy_cntnr
    hostname: proxy_cntnr

    image: mybase

    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
      - net.ipv4.tcp_timestamps=0

    networks:
      open_net:
        ipv4_address: 10.0.0.2
        priority: 10 # eth0
      internal_net:
        ipv4_address: 10.0.1.2
        priority: 1 # eth1

    cap_add:
      - NET_ADMIN

    # https://serverfault.com/questions/431593/iptables-forwarding-between-two-interface
    command: >
      bash -cxe "
        iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
        iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED  -j ACCEPT
        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
        sleep infinity
        "

  client_cntnr:
    container_name: client_cntnr
    hostname: client_cntnr

    image: mybase

    depends_on:
      - proxy_cntnr

    cap_add:
      - NET_ADMIN

    networks:
      internal_net:
        ipv4_address: 10.0.1.3

    command: >
      bash -cxe "
        # ping -c1 example.com || true
        ip route del default
        ip route add default via 10.0.1.2
        sleep 1
        ping example.com || true
        sleep infinity"

networks:
  open_net:
    driver: bridge
    ipam:
      config:
        - subnet: 10.0.0.0/24

  internal_net:
    driver: bridge
    ipam:
      config:
        - subnet: 10.0.1.0/24
    internal: true
	# Do `docker compose up`, then on host run:
	# iptables -I DOCKER-USER -s 10.0.1.0/24 -o br-$INTERNAL_NETWORK_ID -j LOG_ACCEPT
	# iptables -I DOCKER-USER -d 10.0.1.0/24 -i br-$INTERNAL_NETWORK_ID -j LOG_ACCEPT
	# You will see the pings succeeding.

	version: "3"

	services:
	proxy_cntnr:
	container_name: proxy_cntnr
	hostname: proxy_cntnr

	image: mybase

	sysctls:
	- net.ipv4.ip_forward=1
	- net.ipv6.conf.all.forwarding=1
	- net.ipv4.tcp_timestamps=0

	networks:
	open_net:
	ipv4_address: 10.0.0.2
	priority: 10 # eth0
	internal_net:
	ipv4_address: 10.0.1.2
	priority: 1 # eth1

	cap_add:
	- NET_ADMIN

	# https://serverfault.com/questions/431593/iptables-forwarding-between-two-interface
	command: >
	bash -cxe "
	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	sleep infinity
	"

	client_cntnr:
	container_name: client_cntnr
	hostname: client_cntnr

	image: mybase

	depends_on:
	- proxy_cntnr

	cap_add:
	- NET_ADMIN

	networks:
	internal_net:
	ipv4_address: 10.0.1.3

	command: >
	bash -cxe "
	# ping -c1 example.com \|\| true
	ip route del default
	ip route add default via 10.0.1.2
	sleep 1
	ping example.com \|\| true
	sleep infinity"

	networks:
	open_net:
	driver: bridge
	ipam:
	config:
	- subnet: 10.0.0.0/24

	internal_net:
	driver: bridge
	ipam:
	config:
	- subnet: 10.0.1.0/24
	internal: true