tovbinm/01-iptables.config

## 01-iptables.config
files:
  "/etc/init/eb-docker-iptables.conf":
    mode: "000644"
    content: |
      description "Elastic Beanstalk Default Docker Container Iptables"
      author "Matthew Tovbin <mtovbin@salesforce.com>"

      start on started docker
      stop on stopping docker

      respawn

      script
              # Wait for docker to finish starting up first.
              FILE=/var/run/docker.sock
              while [ ! -e $FILE ]; do
                      sleep 2
              done

              DOCKER_CURRENT_APP=`(cat /etc/elasticbeanstalk/.aws_beanstalk.current-container-id || cat /etc/elasticbeanstalk/.aws_beanstalk.staging-container-id) | cut -c 1-12`

              while [ ! docker ps | grep $DOCKER_CURRENT_APP ]; do
                      sleep 2
              done

              DOCKER_IP=`docker inspect $DOCKER_CURRENT_APP | jq -r .[0].NetworkSettings.IPAddress`
              # DOCKER_PORT_FILE=`/opt/elasticbeanstalk/bin/get-config container -k port_file`
              # DOCKER_PORT=`cat $DOCKER_PORT_FILE`
              DOCKER_PORT=2551
              EXTERNAL_PORT=2551

              # remove rules added by us (marked by the "added_by_ebextension" comment), if any
              iptables-save | grep -v added_by_ebextension | iptables-restore

              # add our rule with the "added_by_ebextension" as a special marker
              iptables -A PREROUTING -t nat -i eth0 -p tcp --dport ${EXTERNAL_PORT} -j DNAT --to ${DOCKER_IP}:${DOCKER_PORT} -m comment --comment added_by_ebextension

              # following are optional since the FORWARD chain is ACCEPT by default
              # iptables -A FORWARD -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -d ${DOCKER_IP} -j ACCEPT -m comment --comment added_by_ebextension
              # iptables -A FORWARD -p tcp -d ${DOCKER_IP} --dport ${EXTERNAL_PORT} -j ACCEPT -m comment --comment added_by_ebextension

              exec docker wait $DOCKER_CURRENT_APP
      end script

commands:
  00-setup-iptables:
    command: "initctl reload-configuration"

container_commands:
  01-restart-service:
    command: "initctl stop eb-docker-iptables; initctl start eb-docker-iptables"
	files:
	"/etc/init/eb-docker-iptables.conf":
	mode: "000644"
	content: \|
	description "Elastic Beanstalk Default Docker Container Iptables"
	author "Matthew Tovbin <mtovbin@salesforce.com>"

	start on started docker
	stop on stopping docker

	respawn

	script
	# Wait for docker to finish starting up first.
	FILE=/var/run/docker.sock
	while [ ! -e $FILE ]; do
	sleep 2
	done

	DOCKER_CURRENT_APP=`(cat /etc/elasticbeanstalk/.aws_beanstalk.current-container-id \|\| cat /etc/elasticbeanstalk/.aws_beanstalk.staging-container-id) \| cut -c 1-12`

	while [ ! docker ps \| grep $DOCKER_CURRENT_APP ]; do
	sleep 2
	done

	DOCKER_IP=`docker inspect $DOCKER_CURRENT_APP \| jq -r .[0].NetworkSettings.IPAddress`
	# DOCKER_PORT_FILE=`/opt/elasticbeanstalk/bin/get-config container -k port_file`
	# DOCKER_PORT=`cat $DOCKER_PORT_FILE`
	DOCKER_PORT=2551
	EXTERNAL_PORT=2551

	# remove rules added by us (marked by the "added_by_ebextension" comment), if any
	iptables-save \| grep -v added_by_ebextension \| iptables-restore

	# add our rule with the "added_by_ebextension" as a special marker
	iptables -A PREROUTING -t nat -i eth0 -p tcp --dport ${EXTERNAL_PORT} -j DNAT --to ${DOCKER_IP}:${DOCKER_PORT} -m comment --comment added_by_ebextension

	# following are optional since the FORWARD chain is ACCEPT by default
	# iptables -A FORWARD -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -d ${DOCKER_IP} -j ACCEPT -m comment --comment added_by_ebextension
	# iptables -A FORWARD -p tcp -d ${DOCKER_IP} --dport ${EXTERNAL_PORT} -j ACCEPT -m comment --comment added_by_ebextension

	exec docker wait $DOCKER_CURRENT_APP
	end script

	commands:
	00-setup-iptables:
	command: "initctl reload-configuration"

	container_commands:
	01-restart-service:
	command: "initctl stop eb-docker-iptables; initctl start eb-docker-iptables"