Skip to content

Instantly share code, notes, and snippets.

@williamdes

williamdes/DOCKER_OPENVPN_IPTABLES.sh

Last active October 31, 2017 19:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save williamdes/5ea845c84c92c427ac3f215bd7aabf5e to your computer and use it in GitHub Desktop.
Save williamdes/5ea845c84c92c427ac3f215bd7aabf5e to your computer and use it in GitHub Desktop.
Download ZIP
Docker & OPENVPN iptables rules
Raw
DOCKER_OPENVPN_IPTABLES.sh
#!/bin/bash
#
# Docker OR OPENVPN rules
#
#Reset rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#Defaults for INPUT, FORWARD, OUTPUT
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
create_block() {
ii=$1
oo=$2
ipr=$3
cn=$4
#Create chain
iptables -N $cn
#Allow internal interaction within $ii
iptables -I FORWARD -i $ii -o $ii -s $ipr -d $ipr -j $cn -m comment --comment "Accept FORWARD $ii > $ii"
#Allow forward OUT
iptables -I FORWARD -i $ii -o $oo -s $ipr -j $cn -m comment --comment "Accept FORWARD $ii > $oo"
#Allow forward back IN
iptables -I FORWARD -i $oo -o $ii -d $ipr -j $cn -m comment --comment "Accept FORWARD $oo > $ii"
#Allow trafic IN
iptables -A $cn -d $ipr -j ACCEPT -m comment --comment "IN : ALL $cn"
#Allow trafic OUT
iptables -A $cn -s $ipr -j ACCEPT -m comment --comment "OUT : ALL $cn"
#Can maybe add -o $oo
iptables -t nat -A POSTROUTING -s $ipr ! -d $ipr -j MASQUERADE -m comment --comment "POSTROUTING nat $cn"
#Default reject (useless ?)
iptables -A $cn -j REJECT
echo "[IpTables] $cn [OK]"
}
#
# DOCKER rule
#
ii="docker0"
oo="eth0"
ipr="172.17.0.0/16"
cn="DOCKER"
create_block $ii $oo $ipr $cn
#
# OPENVPN rule
#
ii="tun0"
oo="eth0"
ipr="10.0.0.0/8"
cn="OPENVPN"
create_block $ii $oo $ipr $cn
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment