teon
commented
1 month ago @t-aleksander we need to add iptables and ebtables in the docker file.
Closed amanzone closed 1 month ago
teon
commented
1 month ago @t-aleksander we need to add iptables and ebtables in the docker file.
amanzone
commented
1 month ago Unfortunately I don't think it's just an issue of missing the iptables package.
I have changed my docker compose as follows:
gateway:
#image: ghcr.io/defguard/gateway:${GATEWAY_IMAGE_TAG:-latest}
build:
dockerfile: ../../dockerfile/defguard/Dockerfile
command: ["-i", "wg1"]
restart: unless-stopped
network_mode: "host"
# user: 1001:1001
environment:
DEFGUARD_GRPC_URL: https://defguard.home.com:50055
DEFGUARD_GRPC_CA: /ssl/defguard-ca.pem
DEFGUARD_STATS_PERIOD: 30
#DEFGUARD_TOKEN: ${DEFGUARD_TOKEN}
DEFGUARD_TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJEZWZHdWFyZCIsInN1YiI6IkRFRkdVQVJELU5FVFdPUkstMSIsImNsaWVudF9pZCI6IjEiLCJleHAiOjYwMjM4NTg2NjYsIm5iZiI6MTcyODg5MTM3MX0.GG11-s7MgIJ1hVk7jATFCyjaYUGF_s3Wpa9j9s2E-m0
#PRE_UP: sudo /usr/bin/apt-get update; sudo /usr/bin/apt-get install -y iptables;
POST_UP: iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -o ens3 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 33003 -j ACCEPT; iptables -A FORWARD -i wg1 -j ACCEPT; iptables -A FORWARD -o wg1 -j ACCEPT;
POST_DOWN: iptables -t nat -D POSTROUTING -s 10.11.0.0/24 -o ens3 -j MASQUERADE; iptables -D INPUT -p udp -m udp --dport 33003 -j ACCEPT; iptables -D FORWARD -i wg1 -j ACCEPT; iptables -D FORWARD -o wg1 -j ACCEPT;
ports:
# wireguard port
- "33003:33003"
volumes:
# SSL setup guide: https://defguard.gitbook.io/defguard/features/setting-up-your-instance/docker-compose#ssl-setup
- ${VOLUME_DIR:-./.volumes}/ssl:/ssl
cap_add:
- NET_ADMINAnd a Dockerfile to install the iptables package:
FROM ghcr.io/defguard/gateway:latest
RUN apt-get update && apt-get install -y iptables
That is working well, now the container has the package installed but, still, it errors out at startup trying to run the post_up commands.
Here is the logfile:
[2024-10-14T17:11:16Z INFO defguard_gateway::gateway] Reconfigured WireGuard interface Manz-Casa (address: 10.11.0.1/24)
[2024-10-14T17:11:16Z INFO defguard_gateway::gateway] Stats thread spawned.
[2024-10-14T17:11:16Z INFO defguard_gateway::gateway] Connected to defguard gRPC endpoint: https://defguard.home.com:50055
[2024-10-14T17:11:16Z ERROR defguard_gateway] Error executing command. Stderr:
Bad argument `iptables'
Try `iptables -h' or 'iptables --help' for more information.
The command it tries to run would be:
iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -o ens3 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 33003 -j ACCEPT; iptables -A FORWARD -i wg1 -j ACCEPT; iptables -A FORWARD -o wg1 -j ACCEPT;
which of course runs without issues if I run it from the container shell...
t-aleksander
commented
1 month ago @amanzone we've added iptables to the docker image, it will be available in the next pre-release (and dev builds, but those may be more unstable) of the gateway. As for your post_up/post_down commands, put it in a shell script and execute it that way.
I'm closing this for now, but feel free to reopen if something else comes up.
I start the gateway with docker compose:
This generates an error in the gateway log due to the fact that iptables is not installed in the container. Of course I can remove the POST_UP environment variable, so the container starts fine, but I do not have rules set...