From cc8037c921823f562a4078d0a7bf303f117e145f Mon Sep 17 00:00:00 2001
From: afeiszli <alex.feiszli@gmail.com>
Date: Tue, 25 Jan 2022 11:58:51 -0500
Subject: [PATCH] initial commit of iptables functionality

---
 Dockerfile-builder      |  9 +++++++
 config/config.go        |  2 ++
 main.go                 |  7 +++++
 servercfg/serverconf.go | 26 ++++++++++++++++++
 serverctl/iptables.go   | 60 +++++++++++++++++++++++++++++++++++++++++
 serverctl/serverctl.go  |  2 ++
 6 files changed, 106 insertions(+)
 create mode 100644 Dockerfile-builder
 create mode 100644 serverctl/iptables.go

diff --git a/Dockerfile-builder b/Dockerfile-builder
new file mode 100644
index 00000000..6abc06f3
--- /dev/null
+++ b/Dockerfile-builder
@@ -0,0 +1,9 @@
+#first stage - builder
+FROM golang:1.17
+ARG version
+WORKDIR /app
+COPY . .
+ENV GO111MODULE=auto
+
+# RUN GOOS=linux CGO_ENABLED=1 go build -tags debug -ldflags="-s -X 'main.version=$version'" -o netmaker main.go
+RUN GOOS=linux CGO_ENABLED=1 go build -ldflags="-s -X 'main.version=$version'" -o netmaker main.go
\ No newline at end of file
diff --git a/config/config.go b/config/config.go
index 9160cc9f..803843af 100644
--- a/config/config.go
+++ b/config/config.go
@@ -71,6 +71,8 @@ type ServerConfig struct {
 	AzureTenant           string `yaml:"azuretenant"`
 	RCE                   string `yaml:"rce"`
 	Telemetry             string `yaml:"telemetry"`
+	ManageIPTables        string `yaml:"manageiptables"`
+	PortForwardServices   string `yaml:"portforwardservices"`
 }
 
 // SQLConfig - Generic SQL Config
diff --git a/main.go b/main.go
index eba2c60f..0739a2d4 100644
--- a/main.go
+++ b/main.go
@@ -68,6 +68,13 @@ func initialize() { // Client Mode Prereq Check
 			logger.FatalLog("Did not find netclient to use CLIENT_MODE")
 		}
 	}
+	// initialize iptables to ensure gateways work correctly and mq is forwarded if containerized
+	if servercfg.ManageIPTables() != "off" {
+		if err = serverctl.InitIPTables(); err != nil {
+			logger.FatalLog("Unable to initialize iptables on host:", err.Error())
+
+		}
+	}
 
 	if servercfg.IsDNSMode() {
 		err := functions.SetDNSDir()
diff --git a/servercfg/serverconf.go b/servercfg/serverconf.go
index 08c90a1c..ce18d334 100644
--- a/servercfg/serverconf.go
+++ b/servercfg/serverconf.go
@@ -86,6 +86,7 @@ func GetServerConfig() config.ServerConfig {
 		cfg.RCE = "off"
 	}
 	cfg.Telemetry = Telemetry()
+	cfg.ManageIPTables = ManageIPTables()
 
 	return cfg
 }
@@ -332,6 +333,18 @@ func Telemetry() string {
 	return telemetry
 }
 
+// ManageIPTables - checks if iptables should be manipulated on host
+func ManageIPTables() string {
+	manage := "on"
+	if os.Getenv("MANAGE_IPTABLES") == "off" {
+		manage = "off"
+	}
+	if config.Config.Server.ManageIPTables == "off" {
+		manage = "off"
+	}
+	return manage
+}
+
 // IsDNSMode - should it run with DNS
 func IsDNSMode() bool {
 	isdns := true
@@ -446,6 +459,19 @@ func GetPlatform() string {
 	return platform
 }
 
+// GetIPForwardServiceList - get the list of services that the server should be forwarding
+func GetPortForwardServiceList() []string {
+	//services := "mq,dns,ssh"
+	services := ""
+	if os.Getenv("PORT_FORWARD_SERVICES") != "" {
+		services = os.Getenv("PORT_FORWARD_SERVICES")
+	} else if config.Config.Server.PortForwardServices != "" {
+		services = config.Config.Server.PortForwardServices
+	}
+	serviceSlice := strings.Split(services, ",")
+	return serviceSlice
+}
+
 // GetSQLConn - get the sql connection string
 func GetSQLConn() string {
 	sqlconn := "http://"
diff --git a/serverctl/iptables.go b/serverctl/iptables.go
new file mode 100644
index 00000000..0e5d15f1
--- /dev/null
+++ b/serverctl/iptables.go
@@ -0,0 +1,60 @@
+package serverctl
+
+import (
+	"net"
+	"os/exec"
+	"strings"
+
+	"github.com/gravitl/netmaker/netclient/ncutils"
+	"github.com/gravitl/netmaker/servercfg"
+)
+
+// InitServerNetclient - intializes the server netclient
+func InitIPTables() error {
+	_, err := exec.LookPath("iptables")
+	if err != nil {
+		return err
+	}
+	setForwardPolicy()
+	portForwardServices()
+	return nil
+}
+
+func portForwardServices() {
+	services := servercfg.GetPortForwardServiceList()
+
+	for _, service := range services {
+		switch service {
+		case "mq":
+			iptablesPortForward("mq", "1883", false)
+		case "dns":
+			iptablesPortForward("mq", "1883", false)
+		case "ssh":
+			iptablesPortForward("127.0.0.1", "22", true)
+		default:
+			params := strings.Split(service, ":")
+			iptablesPortForward(params[0], params[1], true)
+		}
+	}
+}
+
+func setForwardPolicy() {
+	ncutils.RunCmd("iptables --policy FORWARD ACCEPT", true)
+}
+
+func iptablesPortForward(entry string, port string, isIP bool) {
+	var address string
+	if !isIP {
+		ips, _ := net.LookupIP(entry)
+		for _, ip := range ips {
+			if ipv4 := ip.To4(); ipv4 != nil {
+				address = ip.String()
+				break
+			}
+		}
+	} else {
+		address = entry
+	}
+	ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+port+" -j DNAT --to-destination "+address+":"+port, true)
+	ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", true)
+}
diff --git a/serverctl/serverctl.go b/serverctl/serverctl.go
index a78c96f3..5c3c8480 100644
--- a/serverctl/serverctl.go
+++ b/serverctl/serverctl.go
@@ -12,6 +12,8 @@ import (
 	"github.com/gravitl/netmaker/netclient/ncutils"
 )
 
+const NETMAKER_BINARY_NAME = "netmaker"
+
 // InitServerNetclient - intializes the server netclient
 func InitServerNetclient() error {
 	netclientDir := ncutils.GetNetclientPath()