dockerfiles icon indicating copy to clipboard operation
dockerfiles copied to clipboard
verified publisher icon vimagick

Problem importing iptables rules

Open danipolo opened this issue 7 years ago • 1 comments

Hi,

I'm trying to add this config into the Dockerfile:

# Generated by iptables-save v1.4.21 on Wed Jan 24 08:50:53 2018
*nat
:PREROUTING ACCEPT [5928521:551144986]
:INPUT ACCEPT [1968289:69058020]
:OUTPUT ACCEPT [62201:4717222]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.68.0/24 -o ppp+ -j MASQUERADE
COMMIT
# Completed on Wed Jan 24 08:50:53 2018
# Generated by iptables-save v1.4.21 on Wed Jan 24 08:50:53 2018
*filter
:INPUT DROP [1892:227059]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13433:714109]
:fail2ban-ssh - [0:0]
:localservices - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p gre -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -j localservices
-A FORWARD -i ppp+ -o ppp+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.68.0/24 -i ppp+ -o ppp+ -m state --state NEW -j ACCEPT
-A FORWARD -i ppp+ -o ppp+ -j REJECT --reject-with icmp-admin-prohibited
-A fail2ban-ssh -j RETURN
-A localservices -i lo -j ACCEPT
-A localservices -p tcp -m tcp --dport 22 -j ACCEPT
-A localservices -p tcp -m tcp --dport 3306 -j ACCEPT
-A localservices -p tcp -m tcp --dport 80 -j ACCEPT
-A localservices -p tcp -m tcp --dport 443 -j ACCEPT
-A localservices -p tcp -m multiport --dports 20,21 -j ACCEPT
-A localservices -p tcp -m tcp --dport 1723 -j ACCEPT
-A localservices -p icmp -j ACCEPT
COMMIT
# Completed on Wed Jan 24 08:50:53 2018

I saw I need to add in the host machine:

modprobe nf_conntrack_pptp nf_nat_pptp

This is the Dockerfile:

FROM debian:jessie
MAINTAINER kev<[email protected]>

RUN apt-get update \
    && apt-get install -y iptables pptpd git \
    && rm -rf /var/lib/apt/lists/*


# PPTPD Server config

COPY pptpd.conf    /etc/
COPY chap-secrets  /etc/ppp/
COPY pptpd-options /etc/ppp/

EXPOSE 1723

# Iptables config
COPY iptables /tmp/
RUN iptables-restore < /tmp/iptables 

CMD pptpd --fg

And the error:

 ---> Running in 23c0c08a2eca
Removing intermediate container 23c0c08a2eca
 ---> 5f9cd9fd1cef
Step 8/10 : COPY iptables /tmp/
 ---> bb67b84ba366
Step 9/10 : RUN iptables-restore < /tmp/iptables
 ---> Running in 497fdd387b0b
iptables-restore v1.4.21: iptables-restore: unable to initialize table 'nat'

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: Service 'pptpd' failed to build: The command '/bin/sh -c iptables-restore < /tmp/iptables' returned a non-zero code: 2
➜  bee-docker (master) ✗ modprobe nf_conntrack_pptp nf_nat_pptp
zsh: command not found: modprobe

I'm in OSx and this command doesn't work. How I can solve that?

Thanks

danipolo avatar Jan 24 '18 16:01 danipolo

You need to run iptables right before pptpd (in CMD). RUN iptables-restore < /tmp/iptables does not work.

vimagick avatar Mar 15 '18 15:03 vimagick