Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot setup iptables #823

Open
amanzone opened this issue Oct 13, 2024 · 2 comments
Open

Cannot setup iptables #823

amanzone opened this issue Oct 13, 2024 · 2 comments
Assignees
@t-aleksander
Labels
bug Something isn't working

Comments

@amanzone
Copy link

amanzone commented Oct 13, 2024
edited
Loading

I start the gateway with docker compose:

  gateway: 
    image: ghcr.io/defguard/gateway:${GATEWAY_IMAGE_TAG:-latest} 
    command: ["-i", "wg1"]
    restart: unless-stopped
    network_mode: "host"
#    user: 1001:1001
    environment: 
      DEFGUARD_GRPC_URL: https://defguard.home.com:50055
      DEFGUARD_GRPC_CA: /ssl/defguard-ca.pem 
      DEFGUARD_STATS_PERIOD: 30 
      DEFGUARD_TOKEN: ${DEFGUARD_TOKEN} 
      POST_UP: iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -o enp0s3 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 33003 -j ACCEPT; iptables -A FORWARD -i wg1 -j ACCEPT; iptables -A FORWARD -o wg1 -j ACCEPT;
      POST_DOWN: iptables -t nat -D POSTROUTING -s 10.11.0.0/24 -o enp0s3 -j MASQUERADE; iptables -D INPUT -p udp -m udp --dport 33003 -j ACCEPT; iptables -D FORWARD -i wg1 -j ACCEPT; iptables -D FORWARD -o wg1 -j ACCEPT;
    ports:
      # wireguard port
      - "33003:33003"    
    volumes: 
  # SSL setup guide: https://defguard.gitbook.io/defguard/features/setting-up-your-instance/docker-compose#ssl-setup
      - ${VOLUME_DIR:-./.volumes}/ssl:/ssl 
    cap_add:
      - NET_ADMIN

This generates an error in the gateway log due to the fact that iptables is not installed in the container.
Of course I can remove the POST_UP environment variable, so the container starts fine, but I do not have rules set...
@amanzone amanzone added the bug Something isn't working label Oct 13, 2024
@teon
Copy link
Contributor

teon commented Oct 13, 2024

@t-aleksander we need to add iptables and ebtables in the docker file.

@amanzone
Copy link
Author

amanzone commented Oct 14, 2024
edited
Loading

Unfortunately I don't think it's just an issue of missing the iptables package.

I have changed my docker compose as follows:

  gateway: 
    #image: ghcr.io/defguard/gateway:${GATEWAY_IMAGE_TAG:-latest}
    build:
      dockerfile: ../../dockerfile/defguard/Dockerfile
    command: ["-i", "wg1"]
    restart: unless-stopped
    network_mode: "host"
#    user: 1001:1001
    environment: 
      DEFGUARD_GRPC_URL: https://defguard.home.com:50055
      DEFGUARD_GRPC_CA: /ssl/defguard-ca.pem 
      DEFGUARD_STATS_PERIOD: 30 
      #DEFGUARD_TOKEN: ${DEFGUARD_TOKEN} 
      DEFGUARD_TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJEZWZHdWFyZCIsInN1YiI6IkRFRkdVQVJELU5FVFdPUkstMSIsImNsaWVudF9pZCI6IjEiLCJleHAiOjYwMjM4NTg2NjYsIm5iZiI6MTcyODg5MTM3MX0.GG11-s7MgIJ1hVk7jATFCyjaYUGF_s3Wpa9j9s2E-m0
      #PRE_UP: sudo /usr/bin/apt-get update; sudo /usr/bin/apt-get install -y iptables;
      POST_UP: iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -o ens3 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 33003 -j ACCEPT; iptables -A FORWARD -i wg1 -j ACCEPT; iptables -A FORWARD -o wg1 -j ACCEPT;
      POST_DOWN: iptables -t nat -D POSTROUTING -s 10.11.0.0/24 -o ens3 -j MASQUERADE; iptables -D INPUT -p udp -m udp --dport 33003 -j ACCEPT; iptables -D FORWARD -i wg1 -j ACCEPT; iptables -D FORWARD -o wg1 -j ACCEPT;
    ports:
      # wireguard port
      - "33003:33003"    
    volumes: 
  # SSL setup guide: https://defguard.gitbook.io/defguard/features/setting-up-your-instance/docker-compose#ssl-setup
      - ${VOLUME_DIR:-./.volumes}/ssl:/ssl 
    cap_add:
      - NET_ADMIN

And a Dockerfile to install the iptables package:

FROM ghcr.io/defguard/gateway:latest
RUN apt-get update && apt-get install -y iptables

That is working well, now the container has the package installed but, still, it errors out at startup trying to run the post_up commands.

Here is the logfile:

[2024-10-14T17:11:16Z INFO  defguard_gateway::gateway] Reconfigured WireGuard interface Manz-Casa (address: 10.11.0.1/24)
[2024-10-14T17:11:16Z INFO  defguard_gateway::gateway] Stats thread spawned.
[2024-10-14T17:11:16Z INFO  defguard_gateway::gateway] Connected to defguard gRPC endpoint: https://defguard.home.com:50055
[2024-10-14T17:11:16Z ERROR defguard_gateway] Error executing command. Stderr:
    Bad argument `iptables'
    Try `iptables -h' or 'iptables --help' for more information.

The command it tries to run would be:
iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -o ens3 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 33003 -j ACCEPT; iptables -A FORWARD -i wg1 -j ACCEPT; iptables -A FORWARD -o wg1 -j ACCEPT;

which of course runs without issues if I run it from the container shell...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@t-aleksander t-aleksander

Labels
bug Something isn't working
Projects
Backlog & Roadmap
Status: Refined & Ready
Milestone
No milestone
Development

No branches or pull requests
3 participants
@teon @amanzone @t-aleksander