From e0cf29047aafdc047801136bc58932432f368a74 Mon Sep 17 00:00:00 2001 From: Antoine Aflalo Date: Fri, 16 Aug 2019 12:17:34 -0400 Subject: [PATCH 1/4] Add Firewall rule to accept traffic from the netns --- services/netns-nat@.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/netns-nat@.service b/services/netns-nat@.service index a3ffff3..f0a257b 100644 --- a/services/netns-nat@.service +++ b/services/netns-nat@.service @@ -22,9 +22,11 @@ EnvironmentFile=-/etc/default/netns-%I ExecStart=/usr/bin/env iptables -t nat -A POSTROUTING -s ${IPADDR_OUTSIDE} -j MASQUERADE ExecStart=/usr/bin/env iptables -A FORWARD -i ${DEVNAME_OUTSIDE} -j ACCEPT ExecStart=/usr/bin/env iptables -A FORWARD -o ${DEVNAME_OUTSIDE} -j ACCEPT +ExecStart=/usr/bin/env iptables -I INPUT -I ${DEVNAME_OUTSIDE} -j ACCEPT ExecStart=/usr/bin/env ip netns exec %I /usr/bin/env netnsinit nat %I ExecStop=/usr/bin/env iptables -D FORWARD -o ${DEVNAME_OUTSIDE} -j ACCEPT ExecStop=/usr/bin/env iptables -D FORWARD -i ${DEVNAME_OUTSIDE} -j ACCEPT ExecStop=/usr/bin/env iptables -t nat -D POSTROUTING -s ${IPADDR_OUTSIDE} -j MASQUERADE +ExecStart=/usr/bin/env iptables -D INPUT -I ${DEVNAME_OUTSIDE} -j ACCEPT From 5db0eea7ce331d7a54dcacb10ae2622620cc10b6 Mon Sep 17 00:00:00 2001 From: Antoine Aflalo Date: Fri, 16 Aug 2019 15:38:56 -0400 Subject: [PATCH 2/4] No need to use exec for IP command --- services/netns-tunnel@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/netns-tunnel@.service b/services/netns-tunnel@.service index df22360..a51d0b9 100644 --- a/services/netns-tunnel@.service +++ b/services/netns-tunnel@.service @@ -27,7 +27,7 @@ ExecStart=/usr/bin/env ip link set ${DEVNAME_OUTSIDE} up ExecStart=/usr/bin/env ip link set ${DEVNAME_INSIDE} netns %I # let this fail silently if IPADDR_OUTSIDE is undefined ExecStart=-/usr/bin/env ip address add ${IPADDR_OUTSIDE} dev ${DEVNAME_OUTSIDE} -ExecStart=/usr/bin/env ip netns exec %I /usr/bin/env ip link set ${DEVNAME_INSIDE} up +ExecStart=/usr/bin/env ip -n %I link set ${DEVNAME_INSIDE} up # do not run in ExecStartPost to prevent forked dhclient from being killed ExecStart=/usr/bin/env ip netns exec %I /usr/bin/env netnsinit tunnel %I From ee7c5b24e248f8657564f367f663738a5abf9ac0 Mon Sep 17 00:00:00 2001 From: Antoine Aflalo Date: Fri, 16 Aug 2019 15:40:18 -0400 Subject: [PATCH 3/4] Fixes start instead of stop --- services/netns-nat@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/netns-nat@.service b/services/netns-nat@.service index f0a257b..852e449 100644 --- a/services/netns-nat@.service +++ b/services/netns-nat@.service @@ -29,4 +29,4 @@ ExecStart=/usr/bin/env ip netns exec %I /usr/bin/env netnsinit nat %I ExecStop=/usr/bin/env iptables -D FORWARD -o ${DEVNAME_OUTSIDE} -j ACCEPT ExecStop=/usr/bin/env iptables -D FORWARD -i ${DEVNAME_OUTSIDE} -j ACCEPT ExecStop=/usr/bin/env iptables -t nat -D POSTROUTING -s ${IPADDR_OUTSIDE} -j MASQUERADE -ExecStart=/usr/bin/env iptables -D INPUT -I ${DEVNAME_OUTSIDE} -j ACCEPT +ExecStop=/usr/bin/env iptables -D INPUT -I ${DEVNAME_OUTSIDE} -j ACCEPT From f18d17cb98842b8f3e84f58f8d3821f90574749c Mon Sep 17 00:00:00 2001 From: Antoine Aflalo Date: Thu, 22 Aug 2019 10:26:16 -0400 Subject: [PATCH 4/4] Make Nat Access configurable (#1) * Add NAT_ACCEPT_TRAFFIC to be able to configure if we want to accept traffic or not from the child namespace. * Add up and down for nat setup To be able to use IPTABLES for configure traffic. * Replace the iptable to a call to the script * Split net access in own method * Fix script to be run in the root namespace * Don't mixup start and stop * Add missing selector * Add missing spaces * Fix iptables parameters --- configs/netns | 8 ++++++++ scripts/netnsinit | 24 ++++++++++++++++++++++-- services/netns-nat@.service | 4 ++-- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/configs/netns b/configs/netns index a9ec1a9..992ac48 100644 --- a/configs/netns +++ b/configs/netns @@ -23,3 +23,11 @@ # If you need static MAC #MACADDR=00:11:22:33:44:55 + +#NAT Accepting traffic back from the NetNS +#By default, if the root NS contact a service +#in the created NS, it won't get a response. +# +#Setting this setting to 1 add a iptable rule +#to accept returning traffic +#NAT_ACCEPT_TRAFFIC=1 diff --git a/scripts/netnsinit b/scripts/netnsinit index 15b5d7c..47b04b9 100755 --- a/scripts/netnsinit +++ b/scripts/netnsinit @@ -4,7 +4,7 @@ set -e display_usage() { echo "Auto configuration for systemd-named-netns." - echo -e "\nUsage:\n\t$0 network-type ns-name \n" + echo -e "\nUsage:\n\t$0 network-type ns-name [optional params]\n" echo "Note: you may need root privileges for this." } @@ -27,19 +27,39 @@ autoconfigure_tunnel() { } autoconfigure_nat() { + # add default route if gateway undefined if [ -z "${GATEWAY}" -a -n "${IPADDR_OUTSIDE}" ]; then /bin/ip route add default via ${IPADDR_OUTSIDE%%/*} fi + return 0 # additional precation against "set -e" in case of future mods of this function } +autoconfigure_nat-access() { + + if [ "${NAT_ACCEPT_TRAFFIC}" != "1" ]; then + return 0 + fi + if [ "$3" == "up" ]; then + #Accept related traffic + iptables -I INPUT -i ${DEVNAME_OUTSIDE} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + elif [ "$3" == "down" ]; then + iptables -D INPUT -i ${DEVNAME_OUTSIDE} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + fi + + + return 0 # additional precation against "set -e" in case of future mods of this function +} autoconfigure() { local NSTYPE=$1 local NSNAME=$2 echo "Starting autoconfigure for $NSTYPE ${NSNAME}" DEVNAME_INSIDE=vn-${NSNAME}1 + DEVNAME_OUTSIDE=vn-${NSNAME}0 + source /etc/default/netns ! source "/etc/default/netns-${NSNAME}" @@ -60,7 +80,7 @@ case "$1" in display_usage exit 0 ;; - "tunnel"|"bridge"|"nat") + "tunnel"|"bridge"|"nat"|"nat-access") autoconfigure "$@" exit 0 ;; diff --git a/services/netns-nat@.service b/services/netns-nat@.service index 852e449..536eff5 100644 --- a/services/netns-nat@.service +++ b/services/netns-nat@.service @@ -22,11 +22,11 @@ EnvironmentFile=-/etc/default/netns-%I ExecStart=/usr/bin/env iptables -t nat -A POSTROUTING -s ${IPADDR_OUTSIDE} -j MASQUERADE ExecStart=/usr/bin/env iptables -A FORWARD -i ${DEVNAME_OUTSIDE} -j ACCEPT ExecStart=/usr/bin/env iptables -A FORWARD -o ${DEVNAME_OUTSIDE} -j ACCEPT -ExecStart=/usr/bin/env iptables -I INPUT -I ${DEVNAME_OUTSIDE} -j ACCEPT +ExecStart=/usr/bin/env netnsinit nat-access %I up ExecStart=/usr/bin/env ip netns exec %I /usr/bin/env netnsinit nat %I ExecStop=/usr/bin/env iptables -D FORWARD -o ${DEVNAME_OUTSIDE} -j ACCEPT ExecStop=/usr/bin/env iptables -D FORWARD -i ${DEVNAME_OUTSIDE} -j ACCEPT ExecStop=/usr/bin/env iptables -t nat -D POSTROUTING -s ${IPADDR_OUTSIDE} -j MASQUERADE -ExecStop=/usr/bin/env iptables -D INPUT -I ${DEVNAME_OUTSIDE} -j ACCEPT +ExecStop=/usr/bin/env netnsinit nat-access %I down