search

oakestra / oakestra-net

Networking component of Oakestra
Apache License 2.0
5 stars 7 forks source link

OUTPUT firewall rule not set #116

Closed giobart closed 1 year ago

giobart commented 1 year ago

Short

The OUTPUT chain in iptables does not jump to the OAKESTRA DNAT rules. This means that when we expose ports the service is not reachable internally on the same node but only outside

Proposal

Adding a jump to the Oakestra chain in the OUTPUT chain enable the DNAT roules for local calls as well. E.g., If right now I deploy a service that uses port tcp 80, the port tcp 80 is exposed externally towards other nodes, but it's not reachable internally using curl :80.

Solution

Can be easily fixed by adding the following code here

err = iptable.AppendUnique("nat", "OUTPUT", "-j", chain)
    if err != nil {
        log.Fatal(err.Error())
    }

Status

testing

Checklist

giobart commented 1 year ago

What would be the solution for the Ipv6 table? @smnzlnsk

smnzlnsk commented 1 year ago

I currently have a second iptable ip6table, which does exactly the same as the "ip4table", but for IPv6 firewall rules. My addition for IPv6 would be:

err = ip6table.AppendUnique("nat", "OUTPUT", "-j", chain)
    if err != nil {
        log.Fatal(err.Error())
    }