func setupIpMasq(ipn ip.IP4Net, iface string) error {
ipt, err := ip.NewIPTables()
if err != nil {
log.Error("Failed to setup IP Masquerade. iptables was not found")
return err
}
err = ipt.ClearChain("nat", "RUDDER")
if err != nil {
log.Error("Failed to create/clear RUDDER chain in NAT table: ", err)
return err
}
rules := [][]string{
// This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0)
[]string{"RUDDER", "-d", ipn.String(), "-j", "ACCEPT"},
// This rule makes sure we don't NAT multicast traffic within overlay network
[]string{"RUDDER", "-d", "224.0.0.0/4", "-j", "ACCEPT"},
// This rule will NAT everything originating from our overlay network and
[]string{"RUDDER", "!", "-o", iface, "-j", "MASQUERADE"},
// This rule will take everything coming from overlay and sent it to RUDDER chain
[]string{"POSTROUTING", "-s", ipn.String(), "-j", "RUDDER"},
}
for _, args := range rules {
log.Info("Adding iptables rule: ", strings.Join(args, " "))
err = ipt.AppendUnique("nat", args...)
if err != nil {
log.Error("Failed to insert IP masquerade rule: ", err)
return err
}
}
return nil
}
