Q:In linux firewall I'd like to mark docker traffic to send it over a given in

1. Q:
2. In linux firewall I'd like to mark docker traffic to send it over a given interface. I know I should use tc to mark that traffice and send it over an scpecific routing table. Can you explain it to me?
3.  
4. A:
5. To route Docker traffic through a specific interface using `tc` and policy routing in Linux, you'll need to perform the following steps:
6.  
7. 1. **Identify Docker Traffic**: Determine how to identify Docker traffic. This can be done by marking packets originating from Docker containers.
8.  
9. 2. **Mark Docker Traffic with iptables**: Use `iptables` to mark Docker packets with a specific mark value.
10.  
11. 3. **Configure Routing Table**: Create a new routing table for the marked packets.
12.  
13. 4. **Set up Policy Routing**: Use `ip rule` to route marked packets through the specific routing table.
14.  
15. Here's a step-by-step guide to achieve this:
16.  
17. ### Step 1: Identify Docker Traffic
18.  
19. Assuming Docker containers are using the default Docker bridge network (`docker0`), you can identify traffic based on the source IP address range (typically `172.17.0.0/16`).
20.  
21. ### Step 2: Mark Docker Traffic with iptables
22.  
23. Use `iptables` to mark packets originating from the Docker network:
24.  
25. ```sh
26. # Mark packets from Docker containers with a mark value (e.g., 0x1)
27. sudo iptables -t mangle -A PREROUTING -i docker0 -j MARK --set-mark 1
28. ```
29.  
30. ### Step 3: Configure a Routing Table
31.  
32. 1. **Add a new routing table**: Edit `/etc/iproute2/rt_tables` to add a new table.
33.  
34. ```sh
35. # Add a new routing table (e.g., table 100)
36. echo "100 docker" | sudo tee -a /etc/iproute2/rt_tables
37. ```
38.  
39. 2. **Add routes to the new routing table**: Add routes to the new table to specify which interface should be used.
40.  
41. ```sh
42. # Add a route to the new table for the specific interface (e.g., eth1)
43. sudo ip route add default via <gateway_ip> dev eth1 table docker
44. ```
45.  
46. ### Step 4: Set Up Policy Routing
47.  
48. Use `ip rule` to route marked packets through the specific routing table:
49.  
50. ```sh
51. # Add a rule to use the new routing table for marked packets
52. sudo ip rule add fwmark 1 table docker
53. ```
54.  
55. ### Example
56.  
57. Let’s assume:
58. - Docker containers use the network `172.17.0.0/16`.
59. - The specific interface you want to use for Docker traffic is `eth1`.
60. - The gateway IP for `eth1` is `192.168.1.1`.
61.  
62. Here are the complete commands:
63.  
64. ```sh
65. # Mark Docker traffic with iptables
66. sudo iptables -t mangle -A PREROUTING -i docker0 -j MARK --set-mark 1
67.  
68. # Add a new routing table named 'docker'
69. echo "100 docker" | sudo tee -a /etc/iproute2/rt_tables
70.  
71. # Add a default route for the new table 'docker'
72. sudo ip route add default via 192.168.1.1 dev eth1 table docker
73.  
74. # Add a rule to route marked packets through the 'docker' table
75. sudo ip rule add fwmark 1 table docker
76. ```
77.  
78. ### Verification
79.  
80. To verify the setup, you can use the following commands:
81.  
82. - Check iptables rules:
83.  ```sh
84.  sudo iptables -t mangle -L -v -n
85.  ```
86.  
87. - Check routing rules:
88.  ```sh
89.  ip rule show
90.  ```
91.  
92. - Check the new routing table:
93.  ```sh
94.  ip route show table docker
95.  ```
96.  
97. This setup ensures that Docker traffic marked by `iptables` is routed through the specific interface `eth1` using policy routing.