So if you want to add rules to the FORWARD chain you have to add the rules to DOCKER-USER instead such that they are not overwritten. Docker overwrites the iptables configuration when it starts. IPtables rules are a bit of a pain with docker. If the OpenVPN process is stopped then the curl should timeout. Running curl -4 inside the container should now show the IP you have when tunneling your traffic through the VPN. These rules usually live at /etc/iptables/rules.v4. The last line is needed such that existing connections are accepted. Traffic to and from the local network is also allowed.
5 6 # Checks to see if there is an IP routing table named 'vpn', create if missing 7 if then 8 echo "100 vpn" > /etc/iproute2/rt_tablesĩ fi 10 11 # Remove any previous routes in the 'vpn' routing table 12/bin/ip rule | /bin/sed -n 's/.*\(from**\).*vpn/\1/p' | while read RULEġ3 do 14 /bin/ip rule del $ table vpnģ0 31 # Local traffic should go through eth0 32 /bin/ip route add $local_net dev eth0 table vpnģ3 34 # Traffic to docker network should go to docker vpn network 35 /bin/ip route add $docker_net dev vpn table vpnģ 4iptables -I DOCKER-USER -i vpn ! -o tun0 -j REJECT -reject-with icmp-port-unreachableĥiptables -I DOCKER-USER -i vpn -o vpn -j ACCEPTĦiptables -I DOCKER-USER -i vpn -d $local_network -j ACCEPTħiptables -I DOCKER-USER -s $local_network -o vpn -j ACCEPTĨiptables -I DOCKER-USER -m conntrack -ctstate ESTABLISHED,RELATED -j ACCEPTīasically what this script says is that if traffic is coming from vpn and is routed through tun0 then reject it.
0 kommentar(er)
