Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Q:
- In linux firewall I'd like to mark docker traffic to send it over a given interface. I know I should use tc to mark that traffice and send it over an scpecific routing table. Can you explain it to me?
- A:
- To route Docker traffic through a specific interface using `tc` and policy routing in Linux, you'll need to perform the following steps:
- 1. **Identify Docker Traffic**: Determine how to identify Docker traffic. This can be done by marking packets originating from Docker containers.
- 2. **Mark Docker Traffic with iptables**: Use `iptables` to mark Docker packets with a specific mark value.
- 3. **Configure Routing Table**: Create a new routing table for the marked packets.
- 4. **Set up Policy Routing**: Use `ip rule` to route marked packets through the specific routing table.
- Here's a step-by-step guide to achieve this:
- ### Step 1: Identify Docker Traffic
- Assuming Docker containers are using the default Docker bridge network (`docker0`), you can identify traffic based on the source IP address range (typically `172.17.0.0/16`).
- ### Step 2: Mark Docker Traffic with iptables
- Use `iptables` to mark packets originating from the Docker network:
- ```sh
- # Mark packets from Docker containers with a mark value (e.g., 0x1)
- sudo iptables -t mangle -A PREROUTING -i docker0 -j MARK --set-mark 1
- ```
- ### Step 3: Configure a Routing Table
- 1. **Add a new routing table**: Edit `/etc/iproute2/rt_tables` to add a new table.
- ```sh
- # Add a new routing table (e.g., table 100)
- echo "100 docker" | sudo tee -a /etc/iproute2/rt_tables
- ```
- 2. **Add routes to the new routing table**: Add routes to the new table to specify which interface should be used.
- ```sh
- # Add a route to the new table for the specific interface (e.g., eth1)
- sudo ip route add default via <gateway_ip> dev eth1 table docker
- ```
- ### Step 4: Set Up Policy Routing
- Use `ip rule` to route marked packets through the specific routing table:
- ```sh
- # Add a rule to use the new routing table for marked packets
- sudo ip rule add fwmark 1 table docker
- ```
- ### Example
- Letβs assume:
- - Docker containers use the network `172.17.0.0/16`.
- - The specific interface you want to use for Docker traffic is `eth1`.
- - The gateway IP for `eth1` is `192.168.1.1`.
- Here are the complete commands:
- ```sh
- # Mark Docker traffic with iptables
- sudo iptables -t mangle -A PREROUTING -i docker0 -j MARK --set-mark 1
- # Add a new routing table named 'docker'
- echo "100 docker" | sudo tee -a /etc/iproute2/rt_tables
- # Add a default route for the new table 'docker'
- sudo ip route add default via 192.168.1.1 dev eth1 table docker
- # Add a rule to route marked packets through the 'docker' table
- sudo ip rule add fwmark 1 table docker
- ```
- ### Verification
- To verify the setup, you can use the following commands:
- - Check iptables rules:
- ```sh
- sudo iptables -t mangle -L -v -n
- ```
- - Check routing rules:
- ```sh
- ip rule show
- ```
- - Check the new routing table:
- ```sh
- ip route show table docker
- ```
- This setup ensures that Docker traffic marked by `iptables` is routed through the specific interface `eth1` using policy routing.
Advertisement
Comments
-
- not wortking -rep i think he also stole of my bitcoinm
- :(
-
- You should store your bitcoins in a cold wallet. Don't trust those shady sites.
Add Comment
Please, Sign In to add comment
Advertisement