Сразу оговорюсь iptables настраиваю впервые, по этому могу что то не понимать. В общем.. Имеется VPS на котором DOCKER`ом запущенны 2 контейнера с PPTP и Tor. Запущенны кому интересно следующим образом:
version: '3'
services:
pptpd:
image: vimagick/pptpd
container_name: pptpd
volumes:
- /opt/docker/conf/pptp/pptpd.conf:/etc/pptpd.conf
- /opt/docker/conf/pptp/pptpd-options:/etc/ppp/pptpd-options
- /opt/docker/conf/pptp/chap-secrets:/etc/ppp/chap-secrets
privileged: true
restart: always
network_mode: "host"
tor:
image: tor:latest
container_name: tor
volumes:
- /opt/docker/conf/torrc:/etc/tor/torrc
user: tor
command: tor -f /etc/tor/torrc
ports:
- "9050:9050"
- "9051:9051"
restart: always
на нем имеются следующие сетевые интерфейсы, где eth0 это внешний интерфейс, т.е. смотрит в Internet статическим адресом:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:c9:00:a6:55:35 brd ff:ff:ff:ff:ff:ff
inet 187.95.138.15/24 brd 185.92.149.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::50c9:ff:fea6:5535/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:b6:7a:77:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: br-c81f9eb68579: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:a0:f8:c3:15 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-c81f9eb68579
valid_lft forever preferred_lft forever
inet6 fe80::42:a0ff:fef8:c315/64 scope link
valid_lft forever preferred_lft forever
6: vethe15a135@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c81f9eb68579 state UP group default
link/ether 16:0e:ba:ae:b6:5b brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::140e:baff:feae:b65b/64 scope link
valid_lft forever preferred_lft forever
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1396 qdisc pfifo_fast state UNKNOWN group default qlen 3
link/ppp
inet 192.168.127.1 peer 192.168.127.11/32 scope global ppp0
valid_lft forever preferred_lft forever
в каталоге /root находится файл с правилами для iptables (iptables-rules) следующего содержания:
# Generated by xtables-save v1.8.2 on Tue Dec 15 10:50:38 2020
*filter
:INPUT ACCEPT [595:42697]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [584:27085]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-USER - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-USER -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
COMMIT
# Completed on Tue Dec 15 10:50:38 2020
# Generated by xtables-save v1.8.2 on Tue Dec 15 10:50:38 2020
*nat
:PREROUTING ACCEPT [762:51489]
:INPUT ACCEPT [295:16648]
:POSTROUTING ACCEPT [12:858]
:OUTPUT ACCEPT [11:798]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
COMMIT
который подгружается в /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 187.95.138.15/24
gateway 187.95.138.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 8.8.8.8 8.8.4.4
dns-search 2ssd.had.wf
post-up iptables-restore < /root/iptables-rules
Смысл в том чтобы наружу торчало только 2 порта. Это 5001 для SSH и 1723 для PPTP. Порты Tor`а (9050, 9051) наружу смотреть не должны. Их видят только клиенты подключающиеся по PPTP (192.168.127.1:9050). Если что, то пользователям подключеным по PPTP ip раздаются из 192.168.127.0/24, при этом сервер имеет IP 192.168.127.1. Если применяю правила вручную (iptables-restore < /root/iptables-rules) то все работает как и должно, iptables -L -v при этом имеет следующий вид:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 576 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:50001
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:1723
0 0 ACCEPT gre -- any any anywhere anywhere
1 40 DROP all -- eth0 any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- any any anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
# Warning: iptables-legacy tables present, use iptables-legacy to see them
После перезагрузки сервера клиенты подключенные по PPTP перестают подключаться к Tor, а iptables -L -v принимает следующий вид:
pkts bytes target prot opt in out source destination
205 19039 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED
2 104 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:50001
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:1723
0 0 ACCEPT gre -- any any anywhere anywhere
32 1412 DROP all -- eth0 any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
160 116K DOCKER-USER all -- any any anywhere anywhere
160 116K DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
85 91963 ACCEPT all -- any br-c81f9eb68579 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any br-c81f9eb68579 anywhere anywhere
75 23820 ACCEPT all -- br-c81f9eb68579 !br-c81f9eb68579 anywhere anywhere
0 0 ACCEPT all -- br-c81f9eb68579 br-c81f9eb68579 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 184 packets, 19430 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-c81f9eb68579 br-c81f9eb68579 anywhere 172.18.0.2 tcp dpt:9051
0 0 ACCEPT tcp -- !br-c81f9eb68579 br-c81f9eb68579 anywhere 172.18.0.2 tcp dpt:9050
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
75 23820 DOCKER-ISOLATION-STAGE-2 all -- br-c81f9eb68579 !br-c81f9eb68579 anywhere anywhere
160 116K RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
160 116K RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 DROP all -- any br-c81f9eb68579 anywhere anywhere
75 23820 RETURN all -- any any anywhere anywhere
# Warning: iptables-legacy tables present, use iptables-legacy to see them
приходиться подключаться и вручную применять правила. ЧЯДНТ?