0

I've been stuck on this problem all day and am keeping my fingers crossed some iptables expert reads this and can help me please.

I would like to force all my docker containers's outbound traffic to go through a socks5 proxy.

This is the closest I've come:

iptables -t nat -N REDSOCKS
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 240.0.0.0/4 -j RETURN

iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -p tcp -j DNAT --to-destination 172.17.0.1:12345
iptables -t nat -A OUTPUT -s 172.20.0.0/16 -j REDSOCKS
iptables -t nat -A PREROUTING -s 172.20.0.0/16 -j REDSOCKS

It works almost perfectly, but the socks5 proxy is unable to tell the originating IP address.

The remote address is always '127.0.0.1'

Is there any way I can keep the originating IP address?

Example Scenario

  1. I have applied the iptables rules above to my docker host
  2. I have a docker container with the address 172.20.0.2
  3. Inside that container, I do a curl to example.com
  4. The traffic is forwarded to 172.17.0.1:12345 (the docker host machine)
  5. The server running on 12345 shows the remote IP address as being '127.0.0.1'
  6. I would like the remote IP address to show as 172.20.0.2

Thank to anyway who can try and help me with this.

Mark
  • 191
  • 1
  • 1
  • 6

2 Answers2

0

From a network perspective, if source IP is equal to destination IP, it results to a security issue known as Land Attack.

Bruce Malaudzi
  • 1,522
  • 1
  • 4
  • 11
0

I have applied the iptables rules above to my docker host

On host, -t nat -A OUTPUT redirects your host's outbound traffic. You don't need that if you just want to redirect container's traffic. Using -t nat -I PREROUTING is enough to redirect container's traffic.

And these are some tips you could try, not sure. Hope would help:

  • Since that's the host's iptables, try modify -j DNAT --to-destination 172.17.0.1:12345 to -j DNAT --to-destination 127.0.0.1:12345

  • iptables -I INPUT -j ACCEPT to allow input traffics from containers. I guess your host didn't allow so the originating IP was always (and could only be) 127.0.0.1

  • socks5 proxy? You need a proxy protocol bridge to use socks5 with iptables.

    container -> host -> redsocks to socks5 bridge -> socks5

  • Lastly, if it still doesn't work, it could be linux's bug on NAT, like what I encountered here. That issue solved after I upgraded Linux. I don't know, just guess

garywill
  • 41
  • 4