initial commit of iptables functionality

2025-09-08 14:15:25 +08:00 · 2022-01-25 11:58:51 -05:00 · 2022-01-25 11:58:51 -05:00 · cc8037c921
commit cc8037c921
parent b0db450a79
6 changed files with 106 additions and 0 deletions
--- a/9
+++ b/9
@ -0,0 +1,9 @@
+#first stage - builder
+FROM golang:1.17
+ARG version
+WORKDIR /app
+COPY . .
+ENV GO111MODULE=auto
+
+# RUN GOOS=linux CGO_ENABLED=1 go build -tags debug -ldflags="-s -X 'main.version=$version'" -o netmaker main.go
+RUN GOOS=linux CGO_ENABLED=1 go build -ldflags="-s -X 'main.version=$version'" -o netmaker main.go
--- a/config/config.go
+++ b/config/config.go
@ -71,6 +71,8 @@ type ServerConfig struct {
 	AzureTenant           string `yaml:"azuretenant"`
 	RCE                   string `yaml:"rce"`
 	Telemetry             string `yaml:"telemetry"`
+	ManageIPTables        string `yaml:"manageiptables"`
+	PortForwardServices   string `yaml:"portforwardservices"`
 }

 // SQLConfig - Generic SQL Config
--- a/main.go
+++ b/main.go
@ -68,6 +68,13 @@ func initialize() { // Client Mode Prereq Check
 			logger.FatalLog("Did not find netclient to use CLIENT_MODE")
 		}
 	}
+	// initialize iptables to ensure gateways work correctly and mq is forwarded if containerized
+	if servercfg.ManageIPTables() != "off" {
+		if err = serverctl.InitIPTables(); err != nil {
+			logger.FatalLog("Unable to initialize iptables on host:", err.Error())
+
+		}
+	}

 	if servercfg.IsDNSMode() {
 		err := functions.SetDNSDir()
--- a/servercfg/serverconf.go
+++ b/servercfg/serverconf.go
@ -86,6 +86,7 @@ func GetServerConfig() config.ServerConfig {
 		cfg.RCE = "off"
 	}
 	cfg.Telemetry = Telemetry()
+	cfg.ManageIPTables = ManageIPTables()

 	return cfg
 }
@ -332,6 +333,18 @@ func Telemetry() string {
 	return telemetry
 }

+// ManageIPTables - checks if iptables should be manipulated on host
+func ManageIPTables() string {
+	manage := "on"
+	if os.Getenv("MANAGE_IPTABLES") == "off" {
+		manage = "off"
+	}
+	if config.Config.Server.ManageIPTables == "off" {
+		manage = "off"
+	}
+	return manage
+}
+
 // IsDNSMode - should it run with DNS
 func IsDNSMode() bool {
 	isdns := true
@ -446,6 +459,19 @@ func GetPlatform() string {
 	return platform
 }

+// GetIPForwardServiceList - get the list of services that the server should be forwarding
+func GetPortForwardServiceList() []string {
+	//services := "mq,dns,ssh"
+	services := ""
+	if os.Getenv("PORT_FORWARD_SERVICES") != "" {
+		services = os.Getenv("PORT_FORWARD_SERVICES")
+	} else if config.Config.Server.PortForwardServices != "" {
+		services = config.Config.Server.PortForwardServices
+	}
+	serviceSlice := strings.Split(services, ",")
+	return serviceSlice
+}
+
 // GetSQLConn - get the sql connection string
 func GetSQLConn() string {
 	sqlconn := "http://"
--- a/serverctl/iptables.go
+++ b/serverctl/iptables.go
@ -0,0 +1,60 @@
+package serverctl
+
+import (
+	"net"
+	"os/exec"
+	"strings"
+
+	"github.com/gravitl/netmaker/netclient/ncutils"
+	"github.com/gravitl/netmaker/servercfg"
+)
+
+// InitServerNetclient - intializes the server netclient
+func InitIPTables() error {
+	_, err := exec.LookPath("iptables")
+	if err != nil {
+		return err
+	}
+	setForwardPolicy()
+	portForwardServices()
+	return nil
+}
+
+func portForwardServices() {
+	services := servercfg.GetPortForwardServiceList()
+
+	for _, service := range services {
+		switch service {
+		case "mq":
+			iptablesPortForward("mq", "1883", false)
+		case "dns":
+			iptablesPortForward("mq", "1883", false)
+		case "ssh":
+			iptablesPortForward("127.0.0.1", "22", true)
+		default:
+			params := strings.Split(service, ":")
+			iptablesPortForward(params[0], params[1], true)
+		}
+	}
+}
+
+func setForwardPolicy() {
+	ncutils.RunCmd("iptables --policy FORWARD ACCEPT", true)
+}
+
+func iptablesPortForward(entry string, port string, isIP bool) {
+	var address string
+	if !isIP {
+		ips, _ := net.LookupIP(entry)
+		for _, ip := range ips {
+			if ipv4 := ip.To4(); ipv4 != nil {
+				address = ip.String()
+				break
+			}
+		}
+	} else {
+		address = entry
+	}
+	ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+port+" -j DNAT --to-destination "+address+":"+port, true)
+	ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", true)
+}
--- a/serverctl/serverctl.go
+++ b/serverctl/serverctl.go
@ -12,6 +12,8 @@ import (
 	"github.com/gravitl/netmaker/netclient/ncutils"
 )

+const NETMAKER_BINARY_NAME = "netmaker"
+
 // InitServerNetclient - intializes the server netclient
 func InitServerNetclient() error {
 	netclientDir := ncutils.GetNetclientPath()