Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable sudo for iptables so an on_connect script can set DNAT and for… #559

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

doug-w
Copy link

@doug-w doug-w commented Mar 11, 2020

…ward connections correctly.

I have an openvpn.conf running this patch with the following changes:

script-security 2
client-connect /etc/openvpn/on_connect.sh

With an on_connect.sh of:

#!/bin/bash

/usr/bin/sudo /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $ifconfig_pool_remote_ip
/usr/bin/sudo /sbin/iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination $ifconfig_pool_remote_ip

exit 0

@kylemanna
Copy link
Owner

This needs to potentially occur outside the container if run without --privilege correct?

@917huB
Copy link

917huB commented May 27, 2021

Ive bene trying to make this patch but have two issues. When adding using sudo the on_connect.sh fails as it needs a password

We trust you have received the usual lecture from the local System
 Administrator. It usually boils down to these three things:

     #1) Respect the privacy of others.
     #2) Think before you type.
     #3) With great power comes great responsibility.

 sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
 sudo: a password is required

and when trying to remove the sudo command (hey, im desperate LOL)

DNAT: Could not determine whether revision 2 is supported, assuming it is.
DNAT: Could not determine whether revision 2 is supported, assuming it is.
Fatal: can't open lock file /run/xtables.lock: Permission denied

Ive tried added --privileged to my docker-compose etc.

Any ideas, or better still, any way to get this pulled so it doesn't need an amateur like me hacking around!?

@doug-w
Copy link
Author

doug-w commented May 28, 2021

@917huB check the sudoers file that's included with the patch. Make sure that it's being applied as well with the correct permissions. It's set as is:
Defaults:nobody !requiretty
nobody ALL = NOPASSWD: /sbin/iptables

so as long as you're running /sbin/iptables as user nobody it shouldn't require a password. Even if you're not coming from a tty.

So either the sudoers isn't there or you're not running as nobody.

@917huB
Copy link

917huB commented Jun 5, 2021

@doug-w thank you, it was an oversight on the permissions.

Traffic is now being passed from internet > Google Cloud VPS > on-premise hosted web server fine now. I am however unable to access the internet from the on-prem web server host through the VPS (curl ifconfig.co for example). I'm out of my depth here with iptables and would be grateful of any pointers that might accelerate my learning. Thanks again for your support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants