-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathlxd-portforward
executable file
·45 lines (39 loc) · 1.49 KB
/
lxd-portforward
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/bin/bash
set -e
COMMAND=$1
EXTERNAL_PORT=$2
CONTAINER_NAME=$3
CONTAINER_PORT=$4
EXT_IFACE=$(ip -o route show to default | awk '{print $5}' | head -n1)
LXD_IFACE="lxdbr0"
LXD_IPADDR=$(ip -f inet -o addr show $LXD_IFACE|cut -d\ -f 7 | cut -d/ -f 1)
if [ -n "${CONTAINER_NAME}" ]; then
IPV4=$(dig +short a $CONTAINER_NAME @$LXD_IPADDR)
IPV6=[$(dig +short aaaa $CONTAINER_NAME @$LXD_IPADDR)]
fi
case "$COMMAND" in
add)
nft add table ip nat
nft "add chain ip nat prerouting { type nat hook prerouting priority -100; }"
nft add table ip6 nat
nft "add chain ip6 nat prerouting { type nat hook prerouting priority -100; }"
if [ ! -z $IPV4 ] && [ ! -z $IPV6 ]; then
nft "add rule ip nat prerouting iif $EXT_IFACE meta l4proto {tcp, udp} th dport $EXTERNAL_PORT dnat to $IPV4:$CONTAINER_PORT"
#nft "add rule ip nat prerouting iif $EXT_IFACE udp dport { $EXTERNAL_PORT } dnat to $IPV4:$CONTAINER_PORT"
nft "add rule ip6 nat prerouting iif $EXT_IFACE meta l4proto {tcp, udp} th dport $EXTERNAL_PORT dnat to $IPV6:$CONTAINER_PORT"
#nft "add rule ip6 nat prerouting iif $EXT_IFACE udp dport { $EXTERNAL_PORT } dnat to $IPV6:$CONTAINER_PORT"
fi;;
del)
echo "Sorry, but the 'del' command is not implemented for nft forwarding anymore. Please remove all rules and start again."
;;
delall)
nft delete table ip nat
nft delete table ip6 nat
;;
list)
nft list ruleset ip | grep dport
nft list ruleset ip6 | grep dport
;;
*)
echo "Usage: add/del SOURCEPORT DESTCONTAINER DESTPORT"
esac