func setupIpMasq(ipn ip.IP4Net, iface string) error { ipt, err := ip.NewIPTables() if err != nil { log.Error("Failed to setup IP Masquerade. iptables was not found") return err } err = ipt.ClearChain("nat", "RUDDER") if err != nil { log.Error("Failed to create/clear RUDDER chain in NAT table: ", err) return err } rules := [][]string{ // This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0) []string{"RUDDER", "-d", ipn.String(), "-j", "ACCEPT"}, // This rule makes sure we don't NAT multicast traffic within overlay network []string{"RUDDER", "-d", "224.0.0.0/4", "-j", "ACCEPT"}, // This rule will NAT everything originating from our overlay network and []string{"RUDDER", "!", "-o", iface, "-j", "MASQUERADE"}, // This rule will take everything coming from overlay and sent it to RUDDER chain []string{"POSTROUTING", "-s", ipn.String(), "-j", "RUDDER"}, } for _, args := range rules { log.Info("Adding iptables rule: ", strings.Join(args, " ")) err = ipt.AppendUnique("nat", args...) if err != nil { log.Error("Failed to insert IP masquerade rule: ", err) return err } } return nil }