mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-09 06:37:57 -05:00
39 lines
1.1 KiB
Bash
39 lines
1.1 KiB
Bash
|
#!/bin/sh
|
||
|
|
|
||
|
|
set -eu
|
||
|
|
|
||
|
|
### Pod IPs ###
|
||
|
|
|
||
|
|
# Pod IPs are just NATed.
|
||
|
|
|
||
|
|
iptables -t nat -N VPN_POST || iptables -t nat -F VPN_POST
|
||
|
|
|
||
|
|
for cidr in ${VPN_PEER_CIDRS}; do
|
||
|
|
iptables -t nat -A VPN_POST -s "${cidr}" -d "${VPN_POD_CIDR}" -j MASQUERADE
|
||
|
|
done
|
||
|
|
|
||
|
|
iptables -t nat -C POSTROUTING -j VPN_POST || iptables -t nat -A POSTROUTING -j VPN_POST
|
||
|
|
|
||
|
|
### Service IPs ###
|
||
|
|
|
||
|
|
# Service IPs need to be connected to locally to trigger the cgroup connect hook, thus we send them to the transparent proxy.
|
||
|
|
|
||
|
|
# Packets with mark 1 are for tproxy and need to be delivered locally.
|
||
|
|
# For more information see: https://www.kernel.org/doc/Documentation/networking/tproxy.txt
|
||
|
|
pref=42
|
||
|
|
table=42
|
||
|
|
mark=0x1/0x1
|
||
|
|
ip rule add pref "${pref}" fwmark "${mark}" lookup "${table}"
|
||
|
|
ip route replace local 0.0.0.0/0 dev lo table "${table}"
|
||
|
|
|
||
|
|
iptables -t mangle -N VPN_PRE || iptables -t mangle -F VPN_PRE
|
||
|
|
|
||
|
|
for cidr in ${VPN_PEER_CIDRS}; do
|
||
|
|
for proto in tcp udp; do
|
||
|
|
iptables -t mangle -A VPN_PRE -p "${proto}" -s "${cidr}" -d "${VPN_SERVICE_CIDR}" \
|
||
|
|
-j TPROXY --tproxy-mark "${mark}" --on-port 61001
|
||
|
|
done
|
||
|
|
done
|
||
|
|
|
||
|
|
iptables -t mangle -C PREROUTING -j VPN_PRE || iptables -t mangle -A PREROUTING -j VPN_PRE
|