LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Containers
User Name
Password
Linux - Containers This forum is for the discussion of all topics relating to Linux containers. Docker, LXC, LXD, runC, containerd, CoreOS, Kubernetes, Mesos, rkt, and all other Linux container platforms are welcome.

Notices


Reply
  Search this Thread
Old 08-18-2019, 09:51 PM   #1
bluenote73
LQ Newbie
 
Registered: Aug 2019
Posts: 4

Rep: Reputation: Disabled
Use iptables to DSCP tag traffic from a particular docker container


Without docker, this command would allow me to tag traffic from a particular application that I wanted to (via openwrt split tunnel plugin) route out my VPN: sudo iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner vpnuser -j DSCP --set-dscp 0x10

I can test this with something like: sudo -u vpnuser -- curl ipinfo.io

So - I have made my docker container run as the user in question.

But docker creates a big mess in iptables, and I'm afraid I don't know iptables well enough to understand what's going on, so I don't know where to put my tagging. The existing command I use works for regular applications still, but not for the docker container running under the user I specified because I guess the docker packets are being redirected?.

Here is what it looks like:
Quote:
# Generated by xtables-save v1.8.2 on Fri Aug 16 14:42:03 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 6789 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 51413 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p udp -m udp --dport 51413 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9091 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Aug 16 14:42:03 2019
# Generated by xtables-save v1.8.2 on Fri Aug 16 14:42:03 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 6789 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 51413 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p udp -m udp --dport 51413 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 9091 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 6789 -j DNAT --to-destination 172.17.0.3:6789
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 51413 -j DNAT --to-destination 172.17.0.4:51413
-A DOCKER ! -i docker0 -p udp -m udp --dport 51413 -j DNAT --to-destination 172.17.0.4:51413
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9091 -j DNAT --to-destination 172.17.0.4:9091
COMMIT
# Completed on Fri Aug 16 14:42:03 2019
 
Old 08-21-2019, 12:02 AM   #2
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,272

Rep: Reputation: 154Reputation: 154
Hmmm.

As far as the kernel is concerned the packets from your docker containers aren't created locally, and there is no socket associated with them and thus no owner information. I think. Docker containers use virtual machine technology and have a virtual ethernet device dedicated to them. As far as the host kernel is concerned, there is no difference between traffic from a docker image and that from another physical machine.

The man page says the owner module can only be used in the OUTPUT and POSTROUTING chains, so you could try:

Code:
$ sudo iptables -t mangle -A POSTROUTING -p tcp -m owner --uid-owner vpnuser -j DSCP --set-dscp 0x10
But, I still think it won't work, because the kernel doesn't know the owner for those packets.

I think the easiest way of tagging your traffic is going to be via the source IP or MAC addresses. And, make sure that your docker container has a fixed one of whichever you choose.

EDIT: Correcting a mistake. Or, at the least, striking something that might cause an off topic discussion.

Last edited by phil.d.g; 08-21-2019 at 01:11 AM.
 
1 members found this post helpful.
Old 08-21-2019, 12:20 PM   #3
bluenote73
LQ Newbie
 
Registered: Aug 2019
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by phil.d.g View Post
Hmmm.

As far as the kernel is concerned the packets from your docker containers aren't created locally, and there is no socket associated with them and thus no owner information. I think. Docker containers use virtual machine technology and have a virtual ethernet device dedicated to them. As far as the host kernel is concerned, there is no difference between traffic from a docker image and that from another physical machine.

The man page says the owner module can only be used in the OUTPUT and POSTROUTING chains, so you could try:

Code:
$ sudo iptables -t mangle -A POSTROUTING -p tcp -m owner --uid-owner vpnuser -j DSCP --set-dscp 0x10
But, I still think it won't work, because the kernel doesn't know the owner for those packets.

I think the easiest way of tagging your traffic is going to be via the source IP or MAC addresses. And, make sure that your docker container has a fixed one of whichever you choose.

EDIT: Correcting a mistake. Or, at the least, striking something that might cause an off topic discussion.
Thank you so much for this, this makes a tonne of sense. I did try the command mentioned and you're right, it didn't work. However, you make a great suggestion. Since docker has a simpler built-in way of identifying the traffic, why not use that. I couldn't see the forest for the trees I have made my container keep the dynamic MAC it had as static. But I'm still stymied on where to apply my matching rule? It seems like DSCP tagging can only be applied in certain places too.

Thanks for your help!
 
Old 08-21-2019, 12:38 PM   #4
bluenote73
LQ Newbie
 
Registered: Aug 2019
Posts: 4

Original Poster
Rep: Reputation: Disabled
A little more meditation and trial and error and this worked for me, please comment if you think there's a problem here:

Quote:
sudo iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j DSCP --set-dscp 0x10
Thank you for your help!

Last edited by bluenote73; 08-21-2019 at 02:15 PM.
 
Old 08-21-2019, 05:53 PM   #5
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,272

Rep: Reputation: 154Reputation: 154
Quote:
Originally Posted by bluenote73 View Post
It seems like DSCP tagging can only be applied in certain places too.
Sorry, I should've double checked that too.

In terms of what you've ended up with: it looks fine to me.
 
Old 08-21-2019, 06:43 PM   #6
bluenote73
LQ Newbie
 
Registered: Aug 2019
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by phil.d.g View Post
Sorry, I should've double checked that too.

In terms of what you've ended up with: it looks fine to me.
Thank you so much, this seems to work and I have it persistent now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Inside the Open Container Project: How Docker plans to unite the container market LXer Syndicated Linux News 0 06-23-2015 04:30 AM
Need assistance with shell script - replace a string with a start tag and end tag SupermanInNY Programming 18 01-02-2010 05:44 PM
iptables+DSCP abakali Linux - Networking 2 10-12-2007 06:03 AM
iptables:cannot apply dscp.patch greklas Linux - Software 0 09-08-2004 10:29 AM
iptables - dscp not matches brabard Linux - Networking 9 10-16-2003 12:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Containers

All times are GMT -5. The time now is 09:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration