Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Piercing IPTables for Akka Cluster on AWS Beanstalk with ebextensions
files:
"/etc/init/eb-docker-iptables.conf":
mode: "000644"
content: |
description "Elastic Beanstalk Default Docker Container Iptables"
author "Matthew Tovbin <mtovbin@salesforce.com>"
start on started docker
stop on stopping docker
respawn
script
# Wait for docker to finish starting up first.
FILE=/var/run/docker.sock
while [ ! -e $FILE ]; do
sleep 2
done
DOCKER_CURRENT_APP=`(cat /etc/elasticbeanstalk/.aws_beanstalk.current-container-id || cat /etc/elasticbeanstalk/.aws_beanstalk.staging-container-id) | cut -c 1-12`
while [ ! docker ps | grep $DOCKER_CURRENT_APP ]; do
sleep 2
done
DOCKER_IP=`docker inspect $DOCKER_CURRENT_APP | jq -r .[0].NetworkSettings.IPAddress`
# DOCKER_PORT_FILE=`/opt/elasticbeanstalk/bin/get-config container -k port_file`
# DOCKER_PORT=`cat $DOCKER_PORT_FILE`
DOCKER_PORT=2551
EXTERNAL_PORT=2551
# remove rules added by us (marked by the "added_by_ebextension" comment), if any
iptables-save | grep -v added_by_ebextension | iptables-restore
# add our rule with the "added_by_ebextension" as a special marker
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport ${EXTERNAL_PORT} -j DNAT --to ${DOCKER_IP}:${DOCKER_PORT} -m comment --comment added_by_ebextension
# following are optional since the FORWARD chain is ACCEPT by default
# iptables -A FORWARD -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -d ${DOCKER_IP} -j ACCEPT -m comment --comment added_by_ebextension
# iptables -A FORWARD -p tcp -d ${DOCKER_IP} --dport ${EXTERNAL_PORT} -j ACCEPT -m comment --comment added_by_ebextension
exec docker wait $DOCKER_CURRENT_APP
end script
commands:
00-setup-iptables:
command: "initctl reload-configuration"
container_commands:
01-restart-service:
command: "initctl stop eb-docker-iptables; initctl start eb-docker-iptables"
@tovbinm

This comment has been minimized.

Show comment Hide comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment