mirror of
https://github.com/vimagick/dockerfiles.git
synced 2024-11-24 08:52:31 +02:00
update iptables
This commit is contained in:
kev
parent
ba8a2c6d10
commit
e0be188adf
@ -2,23 +2,24 @@
|
|||||||
# Dockerfile for iptables
|
# Dockerfile for iptables
|
||||||
#
|
#
|
||||||
|
|
||||||
FROM alpine
|
FROM alpine:3
|
||||||
MAINTAINER kev <noreply@easypi.pro>
|
MAINTAINER EasyPi Software Foundation
|
||||||
|
|
||||||
RUN apk add -U iproute2 && ln -s /usr/lib/tc /lib/tc
|
RUN apk add -U iproute2 && ln -s /usr/lib/tc /lib/tc
|
||||||
|
|
||||||
ENV LIMIT_PORT 8388
|
ENV LIMIT_PORT=8388
|
||||||
ENV LIMIT_CONN 5
|
ENV LIMIT_CONN=5
|
||||||
ENV TCP_PORTS 80,443
|
ENV TCP_PORTS=80,443
|
||||||
ENV UDP_PORTS 53
|
ENV UDP_PORTS=53
|
||||||
ENV RATE 1mbit
|
ENV RATE=1mbit
|
||||||
ENV BURST 1kb
|
ENV BURST=1kb
|
||||||
ENV LATENCY 50ms
|
ENV LATENCY=50ms
|
||||||
ENV INTERVAL 60
|
ENV INTERVAL=60
|
||||||
|
ENV DEVICE=eth0
|
||||||
|
|
||||||
CMD iptables -F \
|
CMD iptables -F \
|
||||||
&& iptables -A INPUT -p tcp -m state --state NEW --dport $LIMIT_PORT -m connlimit --connlimit-above $LIMIT_CONN -j DROP \
|
&& iptables -A INPUT -p tcp -m state --state NEW --dport $LIMIT_PORT -m connlimit --connlimit-above $LIMIT_CONN -j DROP \
|
||||||
&& iptables -A OUTPUT -p tcp -m state --state NEW -m multiport ! --dports $TCP_PORTS -j DROP \
|
&& iptables -A OUTPUT -p tcp -m state --state NEW -m multiport ! --dports $TCP_PORTS -j DROP \
|
||||||
&& iptables -A OUTPUT -p udp -m state --state NEW -m multiport ! --dports $UDP_PORTS -j DROP \
|
&& iptables -A OUTPUT -p udp -m state --state NEW -m multiport ! --dports $UDP_PORTS -j DROP \
|
||||||
&& tc qdisc add dev eth0 root tbf rate $RATE burst $BURST latency $LATENCY \
|
&& tc qdisc add dev $DEVICE root tbf rate $RATE burst $BURST latency $LATENCY \
|
||||||
&& watch -n $INTERVAL tc -s qdisc ls dev eth0
|
&& watch -n $INTERVAL tc -s qdisc ls dev $DEVICE
|
||||||
|
|||||||
@ -3,48 +3,42 @@ iptables
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
- _iptables_: filter ports (allow: 53/UDP, 80/TCP, 443/TCP)
|
- iptables: filter ports (allow: 53/UDP, 80/TCP, 443/TCP)
|
||||||
- _tc_: control traffic via [tbf][1]
|
- tc: control traffic via [tbf][1]
|
||||||
|
|
||||||
## docker-compose.yml
|
## Server
|
||||||
|
|
||||||
```
|
```bash
|
||||||
shadowsocks:
|
|
||||||
image: vimagick/shadowsocks-libev
|
|
||||||
environment:
|
|
||||||
- DNS_ADDR=8.8.8.8
|
|
||||||
- METHOD=chacha20
|
|
||||||
- PASSWORD=9MLSpPmNt
|
|
||||||
net: container:iptables
|
|
||||||
restart: always
|
|
||||||
|
|
||||||
iptables:
|
|
||||||
image: vimagick/iptables
|
|
||||||
ports:
|
|
||||||
- "8388:8388"
|
|
||||||
environment:
|
|
||||||
- TCP_PORTS=80,443
|
|
||||||
- UDP_PORTS=53
|
|
||||||
- RATE=4mbit
|
|
||||||
- BURST=4kb
|
|
||||||
cap_add:
|
|
||||||
- NET_ADMIN
|
|
||||||
restart: always
|
|
||||||
```
|
|
||||||
|
|
||||||
## Up and Running
|
|
||||||
|
|
||||||
```
|
|
||||||
$ docker-compose up -d
|
$ docker-compose up -d
|
||||||
Creating shadowsocks_iptables_1...
|
[+] Running 3/3
|
||||||
Creating shadowsocks_shadowsocks_1...
|
⠿ Network iptables_default Created
|
||||||
|
⠿ Container iptables Started
|
||||||
|
⠿ Container shadowsocks Started
|
||||||
|
|
||||||
$ docker-compose logs
|
$ docker-compose logs -f iptables
|
||||||
Every 60s: tc -s qdisc ls dev eth0 2015-09-27 02:27:57
|
Every 60.0s: tc -s qdisc ls dev eth0 2021-12-15 09:55:38
|
||||||
iptables_1 |
|
iptables |
|
||||||
iptables_1 | qdisc tbf 8012: root refcnt 2 rate 4Mbit burst 4Kb lat 50.0ms
|
iptables | qdisc tbf 8004: root refcnt 2 rate 4Mbit burst 4Kb lat 50ms
|
||||||
iptables_1 | Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
|
iptables | Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
|
||||||
iptables_1 | backlog 0b 0p requeues 0
|
iptables | backlog 0b 0p requeues 0
|
||||||
|
```
|
||||||
|
|
||||||
|
## Client
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ ss-local -s x.x.x.x -p 8388 -b 0.0.0.0 -l 1080 -u -m chacha20-ietf-poly1305 -k ieZaid9soh
|
||||||
|
INFO: initializing ciphers...
|
||||||
|
INFO: listening at 0.0.0.0:1080
|
||||||
|
INFO: udprelay enabled
|
||||||
|
|
||||||
|
$ curl -x socks5h://127.0.0.1:1080 http://ifconfig.co
|
||||||
|
x.x.x.x
|
||||||
|
|
||||||
|
$ curl -x socks5h://127.0.0.1:1080 https://ifconfig.co
|
||||||
|
x.x.x.x
|
||||||
|
|
||||||
|
$ curl -x socks5h://127.0.0.1:1080 http://samsung.u-vis.com:8080
|
||||||
|
curl: (52) Empty reply from server
|
||||||
```
|
```
|
||||||
|
|
||||||
[1]: http://linux.die.net/man/8/tc-tbf
|
[1]: http://linux.die.net/man/8/tc-tbf
|
||||||
|
|||||||
30
iptables/docker-compose.yml
Normal file
30
iptables/docker-compose.yml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
|
||||||
|
shadowsocks:
|
||||||
|
container_name: shadowsocks
|
||||||
|
image: easypi/shadowsocks-libev
|
||||||
|
environment:
|
||||||
|
- DNS_ADDR=8.8.8.8
|
||||||
|
- METHOD=chacha20-ietf-poly1305
|
||||||
|
- PASSWORD=ieZaid9soh
|
||||||
|
network_mode: container:iptables
|
||||||
|
depends_on:
|
||||||
|
- iptables
|
||||||
|
restart: unless-stopped
|
||||||
|
|
||||||
|
iptables:
|
||||||
|
container_name: iptables
|
||||||
|
image: vimagick/iptables
|
||||||
|
ports:
|
||||||
|
- "8388:8388"
|
||||||
|
environment:
|
||||||
|
- TCP_PORTS=80,443
|
||||||
|
- UDP_PORTS=53
|
||||||
|
- RATE=4mbit
|
||||||
|
- BURST=4kb
|
||||||
|
- DEVICE=eth0
|
||||||
|
cap_add:
|
||||||
|
- NET_ADMIN
|
||||||
|
restart: unless-stopped
|
||||||
@ -24,6 +24,7 @@ init_rpc() {
|
|||||||
echo "* Starting rpcbind"
|
echo "* Starting rpcbind"
|
||||||
if [ ! -x /run/rpcbind ] ; then
|
if [ ! -x /run/rpcbind ] ; then
|
||||||
install -m755 -g 32 -o 32 -d /run/rpcbind
|
install -m755 -g 32 -o 32 -d /run/rpcbind
|
||||||
|
install -m755 -g 32 -o 32 -d /run/rpc_pipefs/nfs
|
||||||
fi
|
fi
|
||||||
rpcbind || return 0
|
rpcbind || return 0
|
||||||
rpc.statd -L || return 0
|
rpc.statd -L || return 0
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user