Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CheckIPTables ¶
func CheckIPTables() error
CheckIPTables ensures that `iptables --list` runs without error.
func ConfigureRedirect ¶
func ConfigureRedirect( sourcePort, mappedPort int, ipAddress string, targetPort int, ) (func() error, error)
ConfigureRedirect forwards ports from `source` to `target` using iptables. Returns an error and a function which undoes the change to the firewall.
Beware, there are multiple pieces involved.
Parameters:
- There is the port listened to inside the container (ipAddress:targetPort)
- There is the port listened to on the host which docker chooses (mappedPort)
- There is the source port, where traffic will go to in order to use our service (sourcePort)
Unfortunately, we cannot easily redirect localhost traffic to ipAddress:TargetPort. This is not supported without changing scary kernel and docker options that I don't want to touch.
In this case, docker has the userland proxy, which accepts the connection on localhost and makes an outbound connection to the target.
So we simply make an OUTPUT rule which jumps to REDIRECT for the local connections. This redirects localhost->localhost, which is OK, and goes via the userland proxy.
For non-local connections in particular we want the receiver to see the correct origin IP address. In order for this to happen we want to do a traditional PREROUTING DNAT port forward from :sourcePort -> ipAddress:targetPort. We also take advantage of the fact docker has a MASQUERADE rule which means that packets leaving our machine back towards the remote machine are stamped with the correct return address (that of the host, not the container).
Types ¶
This section is empty.
Source Files