Puncte:0

Server

Trying to forward SMTP port on strongswan IPsec tunneled docker container?

Theo

22.11.2022, 17:33

I have successfully setup a vpn tunnel with strongswan within a docker container and want to use that tunneled connection to forward specific ports like SMTP to a host on the other side of the tunnel, in my case host 10.0.0.10.

The goal would be to be able to use SMTP in my app directly by connecting to strongswan-container service in the middle like this

(smtp-host)-[IPSec-tunnel]-(strongswan-container [exposes port 25 and forwards everything to tunneled smtp-host])-[some-docker-network]-(my-mail-sending-app-container [calls strongswan-container:25 for smtp])

after reading some docs about this I tried these iptables commands on the strongswan-container but with no success:

iptables -t nat -A PREROUTING  -p tcp --dport 25 -j DNAT --to-destination 10.0.0.10:25
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.10 --dport 25 -j MASQUERADE

on the my-mail-sending-app-container I tried running

telnet strongswan-container 25

but it would simply wait for a response until timeout.

What is the problem with my iptables command?

iptables-save output after strongswan has connected to the tunnel:

root@14d43f1e2f55:/# iptables-save
# Generated by iptables-save v1.8.4 on Thu Jul 22 16:25:04 2021
*filter
:INPUT ACCEPT [1:112]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:112]
-A INPUT -s 10.0.0.0/16 -d 192.168.112.2/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A OUTPUT -s 192.168.112.2/32 -d 10.0.0.0/16 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Thu Jul 22 16:25:04 2021
# Generated by iptables-save v1.8.4 on Thu Jul 22 16:25:04 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2:1600]
:POSTROUTING ACCEPT [2:1600]
:DOCKER_OUTPUT - [0:0]
:DOCKER_POSTROUTING - [0:0]
-A OUTPUT -d 127.0.0.11/32 -j DOCKER_OUTPUT
-A POSTROUTING -d 127.0.0.11/32 -j DOCKER_POSTROUTING
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:46701
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:58024
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport 46701 -j SNAT --to-source :53
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport 58024 -j SNAT --to-source :53
COMMIT
# Completed on Thu Jul 22 16:25:04 2021

my ipsec.conf:

config setup
     strictcrlpolicy=no
     uniqueids=no

# left is local by default, left and right otherwise dynamically detected
conn %default

conn "ezvpn"
    keyexchange=ikev2
    aggressive=yes
    ike=(some-ciphers)     # Phase1 parameters
    esp=(some-ciphers)              # Phase2 parameters
    left=192.168.112.2         # local IP used to connect to IOS
    leftid=12.123.123.1                 # IKEID (group name) used for IOS
    leftfirewall=yes
    leftauth=psk
    rightauth=psk
    fragmentation=yes
    right=12.123.123.2        #gateway (IOS) IP
    rightsubnet=10.0.0.0/16
    rightfirewall=yes
    auto=route
    type=tunnel
    ikelifetime=180m
    keylife=60m

244

1 + 2

iptables

truecrypt

expediere

ecdsa

23.11.2022, 08:31

Puteți ajunge efectiv la gazda SMTP (`10.0.0.10`) din containerul strongSwan? Containerul expune portul 25 (prin `EXPOSE` sau `--expose`) sau poate chiar îl publică?

Răspunde

Theo

23.11.2022, 08:33

@ecdsa da la ambele, problema nu este legată de docker, doar am menționat-o din cauza setărilor suplimentare pentru iptables

Răspunde

Puncte:0

Server

Theo

09.12.2022, 17:53

Am rezolvat prin instalare traefik în mine lebăda puternică recipient și apoi folosind rutare TCP capacităţile de traefik pentru a expune portul tunelat în interior.

Dockerfile (Sunt pe deplin conștient că acest lucru poate fi realizat folosind alpin de asemenea):

DE PE ubuntu


RUN apt update && apt-get install -yf wget iputils-ping telnet strongswan iptables \
    && ln -sf /conf/ipsec.conf /etc/ipsec.conf \
    && ln -sf /conf/ipsec.secrets /etc/ipsec.secrets \
    && echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf \
    && wget -O /traefik.tar.gz https://github.com/traefik/traefik/releases/download/v2.4.12/traefik_v2.4.12_linux_amd64.tar.gz \
    && tar -zxvf /traefik.tar.gz \
    && ln -s /traefik /usr/bin/traefik


COPIEAZĂ docker-entrypoint.sh /entrypoint.sh
COPY /strongswan /conf
COPY /traefik-conf /traefik-conf

CMD ["/entrypoint.sh"]

Ale mele punct de intrare.sh:

#!/bin/sh -e

{
    # așteptați pentru a vă asigura că ipsec este pornit la ridicarea tunelului
    dormi 2
    ipsec up ezvpn
    traefik --configfile /traefik-conf/traefik.yml
} &

exec ipsec start --nofork „$@”

traefik-conf/traefik.yml:

# https://doc.traefik.io/traefik/routing/entrypoints/
puncte de intrare:
  smtp:
    adresa: ":1025" # portul care ascultă în rețeaua docker

jurnal de acces: {}

furnizori:
  fişier:
    director: /traefik-conf/dynamic/
    # Folosesc configurații dinamice pentru dezvoltarea locală
    ceas: adevărat

API:
  tabloul de bord: adevărat
  nesigur: adevărat

/traefik-conf/dynamic/dynamic.yml:

tcp:
  # https://doc.traefik.io/traefik/routing/routers/#rule_1
  routere:
    smtp-router:
      regula: "HostSNI(`*`)"
      puncte de intrare:
        - smtp
      serviciu: smtp-service

  # https://doc.traefik.io/traefik/routing/routers/#services
  Servicii:
    serviciu smtp:
      echilibrarea greutății:
        servere:
          - adresa: 10.0.0.1:25 # înlocuiți cu IP-ul țintă și portul de serviciu

Vedea Aici pentru exemplul complet.