zishuo/netmaker
1
0
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-10-25 18:00:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

adding iptables functionality

Browse Source
This commit is contained in:
afeiszli
2022-01-26 00:46:12 -05:00
parent cc8037c921
commit 3b84aceec9
5 changed files with 125 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
compose/docker-compose.contained.yml
View File

@@ -3,15 +3,19 @@ version: "3.4"
services: services:
netmaker: netmaker:
container_name: netmaker container_name: netmaker
image: gravitl/netmaker:v0.9.4 image: gravitl/netmaker:v0.10.0.12
volumes: volumes:
- dnsconfig:/root/config/dnsconfig - dnsconfig:/root/config/dnsconfig
- /usr/bin/wg:/usr/bin/wg - /usr/bin/wg:/usr/bin/wg
- sqldata:/root/data - sqldata:/root/data
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
- NET_RAW
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
restart: always restart: always
privileged: true
environment: environment:
SERVER_HOST: "SERVER_PUBLIC_IP" SERVER_HOST: "SERVER_PUBLIC_IP"
SERVER_API_CONN_STRING: "api.NETMAKER_BASE_DOMAIN:443" SERVER_API_CONN_STRING: "api.NETMAKER_BASE_DOMAIN:443"
@@ -25,11 +29,14 @@ services:
GRPC_PORT: "50051" GRPC_PORT: "50051"
CLIENT_MODE: "on" CLIENT_MODE: "on"
MASTER_KEY: "REPLACE_MASTER_KEY" MASTER_KEY: "REPLACE_MASTER_KEY"
SERVER_GRPC_WIREGUARD: "off"
CORS_ALLOWED_ORIGIN: "*" CORS_ALLOWED_ORIGIN: "*"
DISPLAY_KEYS: "on" DISPLAY_KEYS: "on"
DATABASE: "sqlite" DATABASE: "sqlite"
NODE_ID: "netmaker-server-1" NODE_ID: "netmaker-server-1"
HOST_NETWORK: "off"
MANAGE_IPTABLES: "on"
PORT_FORWARD_SERVICES: "dns"
VERBOSITY: "1"
ports: ports:
- "51821-51830:51821-51830/udp" - "51821-51830:51821-51830/udp"
- "8081:8081" - "8081:8081"
@@ -53,9 +60,6 @@ services:
command: -conf /root/dnsconfig/Corefile command: -conf /root/dnsconfig/Corefile
container_name: coredns container_name: coredns
restart: always restart: always
ports:
- "COREDNS_IP:53:53/udp"
- "COREDNS_IP:53:53/tcp"
volumes: volumes:
- dnsconfig:/root/dnsconfig - dnsconfig:/root/dnsconfig
caddy: caddy:

21
compose/docker-compose.hostnetwork.yml
View File

@@ -5,19 +5,16 @@ services:
container_name: netmaker container_name: netmaker
image: gravitl/netmaker:v0.9.4 image: gravitl/netmaker:v0.9.4
volumes: volumes:
- /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
- /run/systemd/system:/run/systemd/system
- /etc/systemd/system:/etc/systemd/system
- /sys/fs/cgroup:/sys/fs/cgroup
- /usr/bin/wg:/usr/bin/wg
- dnsconfig:/root/config/dnsconfig - dnsconfig:/root/config/dnsconfig
- /usr/bin/wg:/usr/bin/wg
- sqldata:/root/data - sqldata:/root/data
- /run/xtables.lock:/run/xtables.lock
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
- SYS_ADMIN - NET_RAW
restart: always - SYS_MODULE
network_mode: host network_mode: host
privileged: true restart: always
environment: environment:
SERVER_HOST: "SERVER_PUBLIC_IP" SERVER_HOST: "SERVER_PUBLIC_IP"
SERVER_API_CONN_STRING: "api.NETMAKER_BASE_DOMAIN:443" SERVER_API_CONN_STRING: "api.NETMAKER_BASE_DOMAIN:443"
@@ -35,7 +32,11 @@ services:
CORS_ALLOWED_ORIGIN: "*" CORS_ALLOWED_ORIGIN: "*"
DISPLAY_KEYS: "on" DISPLAY_KEYS: "on"
DATABASE: "sqlite" DATABASE: "sqlite"
HOST_NETWORK: "on"
NODE_ID: "netmaker-server-1" NODE_ID: "netmaker-server-1"
MANAGE_IPTABLES: "on"
PORT_FORWARD_SERVICES: ""
VERBOSITY: "1"
netmaker-ui: netmaker-ui:
container_name: netmaker-ui container_name: netmaker-ui
depends_on: depends_on:
@@ -56,8 +57,8 @@ services:
container_name: coredns container_name: coredns
restart: always restart: always
ports: ports:
- "COREDNS_IP:53:53/udp" - "53053:53/udp"
- "COREDNS_IP:53:53/tcp" - "53053:53/tcp"
volumes: volumes:
- dnsconfig:/root/dnsconfig - dnsconfig:/root/dnsconfig
caddy: caddy:

1
config/config.go
View File

@@ -73,6 +73,7 @@ type ServerConfig struct {
Telemetry string `yaml:"telemetry"` Telemetry string `yaml:"telemetry"`
ManageIPTables string `yaml:"manageiptables"` ManageIPTables string `yaml:"manageiptables"`
PortForwardServices string `yaml:"portforwardservices"` PortForwardServices string `yaml:"portforwardservices"`
HostNetwork string `yaml:"hostnetwork"`
} }
// SQLConfig - Generic SQL Config // SQLConfig - Generic SQL Config

13
servercfg/serverconf.go
View File

@@ -87,6 +87,8 @@ func GetServerConfig() config.ServerConfig {
} }
cfg.Telemetry = Telemetry() cfg.Telemetry = Telemetry()
cfg.ManageIPTables = ManageIPTables() cfg.ManageIPTables = ManageIPTables()
services := strings.Join(GetPortForwardServiceList(), ",")
cfg.PortForwardServices = services
return cfg return cfg
} }
@@ -494,6 +496,17 @@ func IsSplitDNS() bool {
return issplit return issplit
} }
// IsSplitDNS - checks if split dns is on
func IsHostNetwork() bool {
ishost := false
if os.Getenv("HOST_NETWORK") == "on" {
ishost = true
} else if config.Config.Server.HostNetwork == "on" {
ishost = true
}
return ishost
}
// GetNodeID - gets the node id // GetNodeID - gets the node id
func GetNodeID() string { func GetNodeID() string {
var id string var id string

108
serverctl/iptables.go
View File

@@ -1,60 +1,130 @@
package serverctl package serverctl
import ( import (
"errors"
"net" "net"
"os"
"os/exec" "os/exec"
"strings" "strings"
"time"
"github.com/gravitl/netmaker/logger"
"github.com/gravitl/netmaker/netclient/ncutils" "github.com/gravitl/netmaker/netclient/ncutils"
"github.com/gravitl/netmaker/servercfg" "github.com/gravitl/netmaker/servercfg"
) )
const NETMAKER_PROCESS_NAME = "netmaker"
// InitServerNetclient - intializes the server netclient // InitServerNetclient - intializes the server netclient
func InitIPTables() error { func InitIPTables() error {
_, err := exec.LookPath("iptables") _, err := exec.LookPath("iptables")
if err != nil { if err != nil {
return err return err
} }
setForwardPolicy() err = setForwardPolicy()
portForwardServices() if err != nil {
return nil logger.Log(0, "error setting iptables forward policy: "+err.Error())
}
err = portForwardServices()
if err != nil {
return err
}
if isContainerized() && servercfg.IsHostNetwork() {
err = setHostCoreDNSMapping()
}
return err
} }
func portForwardServices() { // set up port forwarding for services listed in config
func portForwardServices() error {
var err error
services := servercfg.GetPortForwardServiceList() services := servercfg.GetPortForwardServiceList()
if len(services) == 0 || services[0] == "" {
return nil
}
for _, service := range services { for _, service := range services {
switch service { switch service {
case "mq": case "mq":
iptablesPortForward("mq", "1883", false) err = iptablesPortForward("mq", "1883", "1883", false)
case "dns": case "dns":
iptablesPortForward("mq", "1883", false) err = iptablesPortForward("coredns", "53", "53", false)
case "ssh": case "ssh":
iptablesPortForward("127.0.0.1", "22", true) err = iptablesPortForward("127.0.0.1", "22", "22", true)
default: default:
params := strings.Split(service, ":") params := strings.Split(service, ":")
iptablesPortForward(params[0], params[1], true) err = iptablesPortForward(params[0], params[1], params[2], true)
}
if err != nil {
return err
} }
} }
return nil
} }
func setForwardPolicy() { // determine if process is running in container
ncutils.RunCmd("iptables --policy FORWARD ACCEPT", true) func isContainerized() bool {
fileBytes, err := os.ReadFile("/proc/1/sched")
if err != nil {
logger.Log(1, "error determining containerization: "+err.Error())
return false
}
fileString := string(fileBytes)
return strings.Contains(fileString, NETMAKER_PROCESS_NAME)
} }
func iptablesPortForward(entry string, port string, isIP bool) { // make sure host allows forwarding
func setForwardPolicy() error {
logger.Log(1, "setting iptables forward policy")
_, err := ncutils.RunCmd("iptables --policy FORWARD ACCEPT", false)
return err
}
// port forward from an entry, can contain a dns name for lookup
func iptablesPortForward(entry string, inport string, outport string, isIP bool) error {
logger.Log(1, "forwarding "+entry+" traffic from host port "+inport+" to container port "+outport)
var address string var address string
if !isIP { if !isIP {
ips, _ := net.LookupIP(entry) out:
for _, ip := range ips { for i := 1; i < 4; i++ {
if ipv4 := ip.To4(); ipv4 != nil { ips, err := net.LookupIP(entry)
address = ip.String() if err != nil && i > 2 {
break return err
} }
for _, ip := range ips {
if ipv4 := ip.To4(); ipv4 != nil {
address = ipv4.String()
}
}
if address != "" {
break out
}
time.Sleep(time.Second)
} }
} else { } else {
address = entry address = entry
} }
ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+port+" -j DNAT --to-destination "+address+":"+port, true) if address == "" {
ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", true) return errors.New("could not locate ip for " + entry)
}
_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
if err != nil {
return err
}
_, err = ncutils.RunCmd("iptables -t nat -A PREROUTING -p udp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
if err != nil {
return err
}
_, err = ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", false)
return err
}
// if running in host networking mode, run iptables to map to CoreDNS container
func setHostCoreDNSMapping() error {
logger.Log(1, "forwarding dns traffic on host from netmaker interfaces to 53053")
ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p tcp --match tcp --dport 53 --jump REDIRECT --to-ports 53053", true)
_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p udp --match udp --dport 53 --jump REDIRECT --to-ports 53053", true)
return err
} }