How to forward packets from one network interface via another interface

3.5k views Asked by At

See picture below for architecture.

I know there are a lot of similar questions. However, having read multiple posts and trying some out I am still unable to set up as required. So I am posting this as a new question.

Scenario:

  • I have three containers (c1, c2 and c3)
  • I have different interfaces each running in three containers (eth0 and peervpnXX)
  • c1 has interfaces: eth0 and peervpn12
  • c2 has interfaces: eth0 and peervpn12 and peervpn23
  • c3 has interfaces: eth0 and peervpn23

Whilst eth0 interfaces are on the same subnet the peervpnXX interfaces are on different subnets:

  • peervpn12 - 10.12.0.0/24
  • peervpn23 - 10.23.0.0/24

Note that the peervpnXX interfaces are tunnel interfaces running on top of the eth0

Now the ip_addresses assigned to each container are as follows:

  • c1 : 172.17.0.2 (eth0) and 10.12.0.2 (peervpn12)
  • c2 : 172.17.0.3 (eth0) and 10.12.0.1 (peervpn12) and 10.23.0.1 (peervpn23)
  • c3 : 172.17.0.4 (eth0) and 10.23.0.2 (peervpn23)

What I am trying to do is to enable c1 to communicate to c3 via the middleman c2. In principle, I am trying to:

  • route packets intended to 10.23.0.0/24 from c1 to c3 via c2.
  • route packets intended to 10.12.0.0/24 from c3 to c1 via c2.

I created a routing rule on c1 & c3 to send packets to subnets 10.23.0.0/24 & 10.12.0.0/24 via interfaces peervpn12 and peervpn23. However, I think I am missing some forwarding rule that needs to be set up on c2.

PS: Assume that the 'eth0' interface is locked down and is used only as the underlying interface to route packets of the 'peervpnXX' interface

Any help with regards to figuring this is highly appreciated.
Thank You in advance.

Shabir

Complete Architecture explained above

1

There are 1 answers

1
Shabirmean On BEST ANSWER

Managed to find the issue.

Whilst adding the route for the container in the other subnet I haven't correctly specified the gateway. The gateway still points to the host machine in which docker is run (see above figure). So I added the correct routing rule specific to the two end-containers - c1 & c3.

c1 - ip route add 10.23.0.0/24 via 10.12.0.1 dev peervpn12
c3 - ip route add 10.12.0.0/24 via 10.23.0.1 dev peervpn23

In the meantime, had to add the correct FORWARD rules in the c2 container's iptables:

 iptables -A FORWARD -s 10.12.0.2 -i peervpn12 -d 10.23.0.2 -o peervpn23 -j ACCEPT
 iptables -A FORWARD -s 10.23.0.2 -i peervpn23 -d 10.12.0.2 -o peervpn12 -j ACCEPT

With this setup I was able to achieve the flow I expected.

Thank You and I don't know why it's down-voted.
Maybe if I know the reason I can correct myself in future :)