search

juli3nk / csf-post-docker

CSF with support for Docker
56 stars 34 forks source link

Multiple Bridge Networks: iptables v1.8.4 (legacy): invalid port/service `-j' specified #21

Open ggriffinorg opened 3 years ago

ggriffinorg commented 3 years ago

Hi,

I first wish to thank you for the scripts.

I use them on a Ubuntu Server (20.04 LTS) with CSF 14.10.

IPv4 address for br-08c9e09e9ba7: 172.18.0.1 IPv4 address for br-f0315ad481c0: 172.19.0.1 IPv4 address for docker0: 172.17.0.1

I noticed that as soon you have multiple bridge networks such as listed above following errors appear when csf -r is executed

Running /usr/local/csf/bin/csfpost.sh /usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected iptables v1.8.4 (legacy): invalid port/service -j' specified Tryiptables -h' or 'iptables --help' for more information. /usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected iptables v1.8.4 (legacy): invalid port/service -j' specified Tryiptables -h' or 'iptables --help' for more information. /usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected iptables v1.8.4 (legacy): invalid port/service -j' specified Tryiptables -h' or 'iptables --help' for more information. /usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected iptables v1.8.4 (legacy): invalid port/service -j' specified Tryiptables -h' or 'iptables --help' for more information. /usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected iptables v1.8.4 (legacy): invalid port/service -j' specified Tryiptables -h' or 'iptables --help' for more information.

Now I managed to fix one error in line 106 but just adding "" to ${src_ip} as you see below

if [ "${src_ip}" != "0.0.0.0" ]; then

But then I still get the error

iptables v1.8.4 (legacy): invalid port/service -j' specified Tryiptables -h' or 'iptables --help' for more information.

What is odd that everything works and masquerade mode is active and this only happens when multiple bridge networks are active. There are no errors when only the default Docker Bridge Network is active.

Any chance you can check the matter out.

TY In advance for your help.

Should you need testing or logs please let me know.

BR g ;)

panomitrius commented 3 years ago

Get the same error.

Chrisiesmit93 commented 2 years ago

@juli3nk do you maybe know an solution for the iptables v1.8.4 (legacy): invalid port/service -j' specified Try iptables -h' or 'iptables --help' for more information. message ?

maxinjohn commented 2 years ago

add the following condition for line iptables rule 110, it will be ok after that

if [ ! -z ${src_ip} ]; then iptables -t nat -A DOCKER ${iptables_opt_src}! -i ${DOCKER_NET_INT} -p ${dst_proto} -m ${dst_proto} --dport ${src_port} -j DNAT --to-destination ${ipaddr}:${dst_port} fi;

mhellmeier commented 1 year ago

To solve the following part:

Running /usr/local/csf/bin/csfpost.sh /usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected

Just replace the single [ and ] in line 106 with double [[ and ]].

@maxinjohn: Perhaps you can re-check your answer? I think it isn't well formatted.

yavuzaydin commented 1 year ago

This issue comes from IPv6 / IPv4.

For my use case I discard the IPv6 part and this error is gone then.

Find line 95:

src_ip=`echo ${src} | awk -F':' '{ print $1 }'`

Change to:

src_ip=`echo ${src} | sed 's|^\(.*\):.*$|\1|'`

Find line 96:

src_port=`echo ${src} | awk -F':' '{ print $2 }'`

Change to:

src_port=`echo ${src} | sed 's|^.*:\(.*\)$|\1|'`

Find line 109:

iptables -t nat -A DOCKER ${iptables_opt_src}! -i ${DOCKER_NET_INT} -p ${dst_proto} -m ${dst_proto} --dport ${src_port} -j DNAT --to-destination ${ipaddr}:${dst_port}

Change to:

# If this is an IPv4 address
if [[ ${src_ip} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
    iptables -t nat -A DOCKER ${iptables_opt_src}! -i ${DOCKER_NET_INT} -p ${dst_proto} -m ${dst_proto} --dport ${src_port} -j DNAT --to-destination ${ipaddr}:${dst_port}
fi

Disclaimer: This should most probably be updated to handle IPv6 also.

klodoma commented 1 year ago

This issue comes from IPv6 / IPv4.

For my use case I discard the IPv6 part and this error is gone then.

Find line 95:

src_ip=`echo ${src} | awk -F':' '{ print $1 }'`

Change to:

src_ip=`echo ${src} | sed 's|^\(.*\):.*$|\1|'`

Find line 96:

src_port=`echo ${src} | awk -F':' '{ print $2 }'`

Change to:

src_port=`echo ${src} | sed 's|^.*:\(.*\)$|\1|'`

Find line 109:

iptables -t nat -A DOCKER ${iptables_opt_src}! -i ${DOCKER_NET_INT} -p ${dst_proto} -m ${dst_proto} --dport ${src_port} -j DNAT --to-destination ${ipaddr}:${dst_port}

Change to:

# If this is an IPv4 address
if [[ ${src_ip} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
    iptables -t nat -A DOCKER ${iptables_opt_src}! -i ${DOCKER_NET_INT} -p ${dst_proto} -m ${dst_proto} --dport ${src_port} -j DNAT --to-destination ${ipaddr}:${dst_port}
fi

Disclaimer: This should most probably be updated to handle IPv6 also.

This seems to work. Thanks!