We have a dockerized server application that is doing auto-discovery of physical appliances on the network by listening for multicast packets on port 6969. So we need our docker container to be able to receive these packets from devices outside the host, through the host, and in to the container. I've seen some similar issues and done a lot of reading but I'm still unable to get the server to respond to these multicast packets.
I'm sitting on Wireshark watching network traffic, but I'm not a specialist. I know Docker creates a MASQUERADE address to make the traffic all look like it's coming from the Docker gateway, so when I watch veth I see mostly talk between 172.17.0.1 and 172.17.0.2 although my server is unable to retrieve any information about the devices on the network. (If I run outside of docker, I have no issues of course.)
I can't use --net=host as, like others, we make use of the --link feature. I've tried the following variations...
docker run --name app -p 6969:6969 -d me/app:latest
docker run --name app -p 0.0.0.0:6969:6969 -d me/app:latest (This one I could have sworn worked once but now doesn't?)
docker run --name app -p 0.0.0.0:6969:6969/udp -d me/app:latest
docker run --name app -p 255.255.255.255:6969:6969 -d me/app:latest
Any help or insight you could provide would be greatly appreciated.
Try to enable multicast on your nics:
ip link set eth0 multicast on
echo 1 >/proc/sys/net/ipv4/ip_forward to turn on IP forwarding
You need to explicitly set or at least check that it is enabled on relevant interfaces.
net.ipv4.conf.all.mc_forwarding = 1
net.ipv4.conf.eth0.rp_filter=0
Allow the multicast traffic:
iptables -I INPUT -d 224.0.0.0/4 -j ACCEPT
iptables -I FORWARD -d 224.0.0.0/4 -j ACCEPT
Also you might need to add the route for multicast traffic:
route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
Change the TTL of the multicast sender:
iptables -t mangle -A OUTPUT -d <group> -j TTL --ttl-set 128
Where group is the multicast group address of the stream you want to change the TTL of.
Also you can start multicast proxy
PS:
You should try (if above doesn't help) to start docker container with --net=none option and use pipework with follow command:
pipework docker0 -i eth0 CONTAINER_ID IP_ADDRESS/IP_MASK#DEFAULT_ROUTE_IP
which creates eth0 interface inside container with IFF_MULTICAST flag and defined IP address.
Related
Even though internet connection is working properly, traceroute only shows node IP. Why?
Kubernetes version
1.21
Set -p 443 will result to host not to process the probe along the route. You can try kubectl run busybox --image busybox --restart Never -it --rm -- traceroute -4 -l -v -m 30 google.com. This command will show you the IP along the route; presumed your cluster has no network policy or subnet security group blocking the way.
I have ubuntu server with few vps running, mostly shared between friends and colleagues, it is from Hetzner,
I also have 2 set of ips ranging from 5.9.237.xxx to 5.9.237.xxx & 5.9.248.xxx to 5.9.248.xxx.
Today they locked my server due to different IP set on the VPS which is causing the problem, now i have KVM access, and they asked me to set up an IP TABLE rule which only allow to communicate the IP which are assigned and ignore the rest,
How to do this? Am a bit lost,
My OS is Ubuntu, and i want command that will ignore all the ips except the set of ip i give.
Thank You.
You need to drop all (careful with iptables, you can block yourself out) you should learn how your distro handles them .. here are the command s that after a reboot will reset back to normal so temp to test.. .
iptables -A INPUT -i eth0 -j DROP
iptables -I INPUT -i eth0 -s 10.10.10.0/24 -j ACCEPT
or of course specify certain ips
iptables -I INPUT -i eth0 -s 10.10.10.118 -j ACCEPT
there is alot more to iptables then this but this should get you started
I successfully installed openstack on spare server using the ubuntu single-node installer script. The openstack status page on the underlying ubuntu instance is green across the board. From the host ubuntu instance I can ping / ssh to all of the various openstack instances which have been started on the virtual network.
I now want to access the horizon dashboard from my pc on the local network. (I can't access it from the host ubuntu machine since it is a server install & thus has no desktop to run a web browser on) My local network is 192.168.1.xxx, with the ubuntu server having a static ip of 192.168.1.200. Horizon was installed on an instance with ip 10.0.4.77.
Based on the following blog post, (http://serenity-networks.com/installing-ubuntu-openstack-on-a-single-machine-instead-of-7/) it looks like I need to make an iptables change to the host ubuntu instance to bridge between the two networks. The suggested command from the blog post above is:
$ sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.250 --dport 8000 -j DNAT --to-destination 10.0.6.241:443
Which if I modify for my network / install would be:
$ sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.200 --dport 8000 -j DNAT --to-destination 10.0.4.77:443
However, I am suspicious this is not the preferred way to do this. First, because the --dport 8000 seems wrong, and second because I was under the impression that neutron should be used to create the necessary bridge.
Any help would be appreciated...
$ sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.200 --dport 8000 -j DNAT --to-destination 10.0.4.77:443
This command has nothing to do with neutron. It just made your ubuntu server a router connecting your local network and openstack private network, so that you can access horizon through ip of local network.
--dport 8000 is not fixed, you can change to any unoccupied port. It only influence the horizon address you enter in address bar.
I have a requirement in which need to block certain processes to consume network data using VPN interface ( tun0).
physical interface(cellular data) -> tun0- >user space program->physical interface-> destination.
pls correct me if i am wrong , the above way the traffic flows though when VPN is enabled.
so if i want to block one particular process network packet not to forwared to tun0 interface, i have applied the iptable rules for both the physical interface and the tun0 interface. still the application is able to use the network data using the tun0 interface.
is there a way to block the traffic at tun0 interface?
dont know which rules you set but maybe this fix
(allow only tun0, reject others)
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A INPUT -i ! tun0 -j REJECT
iptables -A OUTPUT -o ! tun0 -j REJECT
How can I integrate OpenStack instances in my local network? I have Devstack Kilo running on a single Ubuntu VM that has its own IP different than the physical host. I assigned as floating IPs a set of IPs from the local network. But I cannot ping neither the external network, nor the local network from the instances.
You need to set up the network on the devstack host to do ip and arp forwarding. This ususally works:
sudo bash
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This is for an Ubuntu host running devstack - your distro may be a little different, but the ideas are the same.
I wrote a post about doing this a while back. It's for Havana, but the principles are the same:
https://barakme.wordpress.com/2013/12/23/openstack-in-a-box-setting-up-devstack-havana-on-your/