zishuo/netmaker
1
0
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-10-28 19:11:57 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6a297a819e2f299796cb1f31697ff36acb1219e6
netmaker/serverctl/iptables.go
0xdcarns 5c2106dd46 re-add server mq port
2022-07-07 14:08:24 -04:00

137 lines
3.7 KiB
Go
Raw Blame History

package serverctl
import (
"errors"
"net"
"os"
"os/exec"
"strings"
"time"
"github.com/gravitl/netmaker/logger"
"github.com/gravitl/netmaker/netclient/ncutils"
"github.com/gravitl/netmaker/servercfg"
)
const netmakerProcessName = "netmaker"
// InitIPTables - intializes the server iptables
func InitIPTables(force bool) error {
_, err := exec.LookPath("iptables")
if err != nil {
return err
}
err = setForwardPolicy()
if err != nil {
logger.Log(0, "error setting iptables forward policy: "+err.Error())
}
err = portForwardServices(force)
if err != nil {
return err
}
if isContainerized() && servercfg.IsHostNetwork() {
err = setHostCoreDNSMapping()
}
return err
}
// set up port forwarding for services listed in config
func portForwardServices(force bool) error {
var err error
services := servercfg.GetPortForwardServiceList()
if len(services) == 0 || services[0] == "" {
return nil
}
for _, service := range services {
switch service {
case "mq":
err = iptablesPortForward("mq", servercfg.GetMQServerPort(), servercfg.GetMQServerPort(), false, force)
case "dns":
err = iptablesPortForward("coredns", "53", "53", false, force)
case "ssh":
err = iptablesPortForward("netmaker", "22", "22", false, force)
default:
params := strings.Split(service, ":")
if len(params) == 3 {
err = iptablesPortForward(params[0], params[1], params[2], true, force)
}
}
if err != nil {
return err
}
}
return nil
}
// determine if process is running in container
func isContainerized() bool {
fileBytes, err := os.ReadFile("/proc/1/sched")
if err != nil {
logger.Log(1, "error determining containerization: "+err.Error())
return false
}
fileString := string(fileBytes)
return strings.Contains(fileString, netmakerProcessName)
}
// make sure host allows forwarding
func setForwardPolicy() error {
logger.Log(2, "setting iptables forward policy")
_, err := ncutils.RunCmd("iptables --policy FORWARD ACCEPT", false)
return err
}
// port forward from an entry, can contain a dns name for lookup
func iptablesPortForward(entry string, inport string, outport string, isIP, force bool) error {
var address string
if !isIP {
out:
for i := 1; i < 4; i++ {
ips, err := net.LookupIP(entry)
if err != nil && i > 2 {
return err
}
for _, ip := range ips {
if ipv4 := ip.To4(); ipv4 != nil {
address = ipv4.String()
}
}
if address != "" {
break out
}
time.Sleep(time.Second)
}
} else {
address = entry
}
if address == "" {
return errors.New("could not locate ip for " + entry)
}
if output, err := ncutils.RunCmd("iptables -t nat -C PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false); output != "" || err != nil || force {
_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
if err != nil {
return err
}
_, err = ncutils.RunCmd("iptables -t nat -A PREROUTING -p udp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
if err != nil {
return err
}
_, err = ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", false)
return err
} else {
logger.Log(3, "mq forwarding is already set... skipping")
}
return nil
}
// if running in host networking mode, run iptables to map to CoreDNS container
func setHostCoreDNSMapping() error {
logger.Log(1, "forwarding dns traffic on host from netmaker interfaces to 53053")
ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p tcp --match tcp --dport 53 --jump REDIRECT --to-ports 53053", true)
_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p udp --match udp --dport 53 --jump REDIRECT --to-ports 53053", true)
return err
}
Reference in New Issue View Git Blame Copy Permalink