├── Dockerfile ├── LICENSE ├── README.md ├── upstart └── docker-nat-router-vlan20.conf └── wrapper /Dockerfile: -------------------------------------------------------------------------------- 1 | # Pull lean base image. 2 | FROM debian:jessie 3 | 4 | MAINTAINER Kyle Manna 5 | 6 | RUN apt-get update && apt-get install -y dnsmasq iptables 7 | 8 | # Install helpers 9 | ADD https://raw.githubusercontent.com/jpetazzo/pipework/master/pipework /usr/bin/ 10 | ADD wrapper /usr/bin/ 11 | 12 | RUN chmod a+x /usr/bin/pipework /usr/bin/wrapper 13 | 14 | # Wrapper helps with pipework 15 | ENTRYPOINT ["wrapper"] 16 | 17 | # Default dnsmasq argument is --help which is passed after pipwork wait 18 | CMD ["--help"] 19 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Kyle Manna 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Docker nat-router 2 | ================= 3 | 4 | Docker container that functions as a simple NAT router. Linux iptables provides network address translation (NAT) and dnsmasq provides DHCP, DNS, and TFTP services. 5 | 6 | The container is bridged to the local area network using pipework to create eth1. The container needs privileged for some ioctl() calls in dnsmasq (SIOCSARP in particular needs NET_ADMIN) as well as to do anything in iptables. 7 | 8 | Build 9 | ----- 10 | 11 | $ docker build -t nat-router . 12 | 13 | Run 14 | --- 15 | 16 | Create a docker container with the specified dnsmasq arguments and start in daemon mode. Run [pipework](https://github.com/jpetazzo/pipework) to bridge the running container to the desired network. 17 | 18 | $ docker run --privileged --detach --name nat-router-eth2 nat-router --dhcp-range=10.1.2.100,10.1.2.200,255.255.255.0 19 | $ pipework eth2 nat-router-eth2 10.1.2.1/24 20 | 21 | Todo 22 | ---- 23 | 24 | * Find an better way to restart containers without the need for a script that runs pipework after starting the container. For now, watch upstream pipework repo for a solution. :) 25 | -------------------------------------------------------------------------------- /upstart/docker-nat-router-vlan20.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Upstart image for many Docker NAT routers on many vlans, expect 3 | # a 1:1 relationship with container to vlan mapping. 4 | # 5 | # Expected filename example: 6 | # * /etc/init/docker-nat-router-vlan20.conf 7 | # 8 | # Can symlink the files under /etc/init for each vlan 9 | # 10 | description "Docker NAT router" 11 | author "Kyle Manna " 12 | 13 | start on started docker.io and runlevel [2345] 14 | stop on runlevel [!2345] 15 | respawn 16 | 17 | script 18 | #export vid=${UPSTART_JOB/*-vlan/} 19 | vid=$(echo $UPSTART_JOB | sed -e "s:.*-vlan::") 20 | 21 | docker start nat-router-vlan$vid 22 | pipework vlan$vid nat-router-vlan$vid 192.168.$vid.2/24 || true 23 | docker wait nat-router-vlan$vid 24 | end script 25 | 26 | pre-stop script 27 | vid=$(echo $UPSTART_JOB | sed -e "s:.*-vlan::") 28 | 29 | docker kill nat-router-vlan$vid 30 | end script 31 | 32 | -------------------------------------------------------------------------------- /wrapper: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Fail loudly 4 | set -ex 5 | 6 | echo Waiting for pipework to give us the eth1 interface... 7 | pipework --wait 8 | 9 | # Override DNSMASQ_OPTS to replace these 10 | DEFAULT_OPTS="--interface=eth1 --dhcp-authoritative" 11 | 12 | NONDEBUG_OPTS="--keep-in-foreground --user=root" 13 | # Override DNSMASQ_DEBUG with "--no-daemon" to help debug 14 | #DEBUG_OPTS="--no-daemon" 15 | 16 | echo Firing up iptables for NAT routing... 17 | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 18 | 19 | echo Starting dnsmasq server... 20 | dnsmasq ${DNSMASQ_DEBUG-$NONDEBUG_OPTS} ${DNSMASQ_OPTS-$DEFAULT_OPTS} $@ 21 | --------------------------------------------------------------------------------