search

swipely / iam-docker

Use different IAM roles for each Docker container on an EC2 instance
MIT License
211 stars 22 forks source link

Favor REDIRECT over DNAT #11

Closed willglynn closed 8 years ago

willglynn commented 8 years ago

The README currently suggests intercepting traffic using -j DNAT --to-destination $IP:$PORT, but there's an alternative:

Redirection

There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.

This commit changes the README to suggest -j REDIRECT --to-ports $PORT instead. This saves the step of needing to find the interface IP (eliminating the ip|grep|awk|cut|head chain) which makes configuration simpler. Additionally, REDIRECT is guaranteed to always send matching traffic to the local machine, even if the interface configuration changes.

nahiluhmot commented 8 years ago

@willglynn Interesting, I must admit that I'm at best a journeyman with iptables. Going to test this out to make sure it works then merge it.

nahiluhmot commented 8 years ago

@willglynn Looks like you'll have to rebase onto master.

willglynn commented 8 years ago

Rebased.

nahiluhmot commented 8 years ago

This looks good, merging.