1

I have a container which has an incoming VPN. A connection into that container will be assigned the 192.168.10.10 IP. The virtual NIC of the container has an IP of 10.10.10.1 and a gateway (on the host bridge) of 10.10.10.254.

When directly logged into the container, a packet will leave with 10.10.10.1 as the source and will know how to come back (via the bridge).

When VPNed-in, the packet leaves with 192.168.10.10 as the source and would not come back as 192.168.10.x is not advertized in the network (there is no route to that network).

There are two solutions to this:

  • either masquerade in the container so that the packet leaves with 10.10.10.1
  • or advertize the 192.168.10.x route on the network

I would like (for various reasons) avoid going for either of these solutions and was wondering if it is possible to do the masquerading in the bridge itself, on the host side?
In other words a packet would be leaving the container with a source of 192.168.10.10, which would then be rewritten "by the bridge" to a known 10.10.10.1 IP (and then rewritten again when the reply comes back to the container)

Note: how to do it in shorewall would be awesome but any information will be great.

WoJ
  • 3,607
  • 9
  • 49
  • 79

2 Answers2

1

For shorewall, you can edit /etc/shorewall/masq, to look something like:

br0 192.168.10.1/24 - tcp 22,80,443

You will also need to create an entry in /etc/shorewall/hosts and /etc/shorewall/zones for the VPN range, and of course add any necessary rules to /etc/shorewall/rules.

However, I think you might have a case of the XY problem.

If I understand your setup correctly, only your container knows about the 192.168.10/24 range.

Meaning the issue wouldn't actually be solved (only) by using masquerading.

The problem is that the host on which the container is running also does not have a route for 192.168.10/24, because that route only exists within the container's routing table.

So, at minimum, you would need:

  • a route on your container host pointing towards your container( e.g. ip r add 192.168.10.1/24 via 10.10.10.1)
  • then add the masq rule in shorewall.

Otherwise, your container host sees what amounts to martians coming from your VPN container.

Community
  • 1
iwaseatenbyagrue
  • 3,688
  • 15
  • 24
1

The MASQUERADE iptables target operates in the POSTROUTING table, which is only used for packets routed from one interface to another. The bridged packets are probably not accessed at IP-Level at any time, so you won't be able to masquerade them.

allo
  • 1,620
  • 2
  • 22
  • 39