From c7c060f1bdba43412656595184331811447d9d8a Mon Sep 17 00:00:00 2001 From: Allan Guwatudde Date: Fri, 4 Jul 2025 14:35:20 +0300 Subject: [PATCH 01/10] Add iptables to http-proxy docker images --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 98942af4..bf538cbe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,8 @@ FROM --platform=$BUILDPLATFORM alpine as user RUN adduser -S -u 10000 lantern FROM alpine +RUN apk add --no-cache iptables + COPY --from=user /etc/passwd /etc/passwd COPY --from=builder /usr/local/bin/http-proxy /usr/local/bin/http-proxy From 611aefe8279f59edbe7c93a0498262ed604bb0d4 Mon Sep 17 00:00:00 2001 From: Allan Guwatudde Date: Fri, 4 Jul 2025 19:03:54 +0300 Subject: [PATCH 02/10] Add servermasq set up script --- Dockerfile | 4 ++++ servermasq.sh | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 servermasq.sh diff --git a/Dockerfile b/Dockerfile index bf538cbe..256b9211 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,5 +21,9 @@ RUN apk add --no-cache iptables COPY --from=user /etc/passwd /etc/passwd COPY --from=builder /usr/local/bin/http-proxy /usr/local/bin/http-proxy +COPY servermasq.sh /servermasq.sh +RUN chmod +x /servermasq.sh + USER lantern +ENTRYPOINT ["/servermasq.sh"] CMD ["/usr/local/bin/http-proxy"] diff --git a/servermasq.sh b/servermasq.sh new file mode 100644 index 00000000..9655724e --- /dev/null +++ b/servermasq.sh @@ -0,0 +1,18 @@ +#!/bin/sh +set -e + +echo "[+] Setting up LANTERN_SERVERMASQ iptables chain..." + +if [ -z "$PROXY_ADDR" ] || [ -z "$PROXY_PORT" ] || [ -z "$MASQ_ADDR" ]; then + echo "[~] Required environment variables not set, skipping iptables setup" + exec "$@" +fi + +iptables -t nat -N LANTERN_SERVERMASQ 2>/dev/null || true +iptables -t nat -F LANTERN_SERVERMASQ 2>/dev/null || true + +iptables -t nat -A LANTERN_SERVERMASQ -d "$PROXY_ADDR" ! --dport "$PROXY_PORT" -j DNAT --to-destination "$MASQ_ADDR" +iptables -t nat -A PREROUTING -d "$PROXY_ADDR" -j LANTERN_SERVERMASQ + +echo "[+] LANTERN_SERVERMASQ setup complete: $@" +exec "$@" \ No newline at end of file From 53cb84198791ecac91c3dc0f93639c0a9c75c8f1 Mon Sep 17 00:00:00 2001 From: Allan Guwatudde Date: Fri, 4 Jul 2025 19:19:06 +0300 Subject: [PATCH 03/10] Add servermasq set up script comment --- servermasq.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/servermasq.sh b/servermasq.sh index 9655724e..a2382142 100644 --- a/servermasq.sh +++ b/servermasq.sh @@ -8,6 +8,13 @@ if [ -z "$PROXY_ADDR" ] || [ -z "$PROXY_PORT" ] || [ -z "$MASQ_ADDR" ]; then exec "$@" fi +# The iptables rules can be expalined as follows: +# 1. Create a new chain called LANTERN_SERVERMASQ. +# 2. Add a rule to the LANTERN_SERVERMASQ chain that matches packets destined for the proxy address +# (PROXY_ADDR) that are not destined for the proxy port (PROXY_PORT), and redirects them to the masqAddr. +# 3. Add a rule to the PREROUTING chain that matches packets destined for the proxy address (PROXY_ADDR) +# and redirects them to the LANTERN_SERVERMASQ chain. + iptables -t nat -N LANTERN_SERVERMASQ 2>/dev/null || true iptables -t nat -F LANTERN_SERVERMASQ 2>/dev/null || true From 4e0dd49c0f639da9419ce778e93a3296c178e381 Mon Sep 17 00:00:00 2001 From: Allan Guwatudde Date: Mon, 7 Jul 2025 12:29:45 +0300 Subject: [PATCH 04/10] . --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 256b9211..d54d6220 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,6 +24,6 @@ COPY --from=builder /usr/local/bin/http-proxy /usr/local/bin/http-proxy COPY servermasq.sh /servermasq.sh RUN chmod +x /servermasq.sh -USER lantern ENTRYPOINT ["/servermasq.sh"] +USER lantern CMD ["/usr/local/bin/http-proxy"] From bbc90467f26bbe8371e1126b8a7edbec25c01cff Mon Sep 17 00:00:00 2001 From: Allan Guwatudde Date: Thu, 10 Jul 2025 11:47:24 +0300 Subject: [PATCH 05/10] Fix permissions for iptables --- Dockerfile | 2 +- servermasq.sh | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d54d6220..b3d71a86 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,6 +24,6 @@ COPY --from=builder /usr/local/bin/http-proxy /usr/local/bin/http-proxy COPY servermasq.sh /servermasq.sh RUN chmod +x /servermasq.sh +USER root ENTRYPOINT ["/servermasq.sh"] -USER lantern CMD ["/usr/local/bin/http-proxy"] diff --git a/servermasq.sh b/servermasq.sh index a2382142..8eccc5eb 100644 --- a/servermasq.sh +++ b/servermasq.sh @@ -22,4 +22,5 @@ iptables -t nat -A LANTERN_SERVERMASQ -d "$PROXY_ADDR" ! --dport "$PROXY_PORT" - iptables -t nat -A PREROUTING -d "$PROXY_ADDR" -j LANTERN_SERVERMASQ echo "[+] LANTERN_SERVERMASQ setup complete: $@" -exec "$@" \ No newline at end of file +# exec "$@" +exec su lantern -s /bin/sh -c "$*" \ No newline at end of file From 2cd8a3a7714b0de27f0d1521ceba41b5ff7c1a19 Mon Sep 17 00:00:00 2001 From: Allan Guwatudde Date: Thu, 10 Jul 2025 11:57:28 +0300 Subject: [PATCH 06/10] Fix permissions for iptables --- Dockerfile | 2 +- servermasq.sh | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index b3d71a86..256b9211 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,6 +24,6 @@ COPY --from=builder /usr/local/bin/http-proxy /usr/local/bin/http-proxy COPY servermasq.sh /servermasq.sh RUN chmod +x /servermasq.sh -USER root +USER lantern ENTRYPOINT ["/servermasq.sh"] CMD ["/usr/local/bin/http-proxy"] diff --git a/servermasq.sh b/servermasq.sh index 8eccc5eb..a2382142 100644 --- a/servermasq.sh +++ b/servermasq.sh @@ -22,5 +22,4 @@ iptables -t nat -A LANTERN_SERVERMASQ -d "$PROXY_ADDR" ! --dport "$PROXY_PORT" - iptables -t nat -A PREROUTING -d "$PROXY_ADDR" -j LANTERN_SERVERMASQ echo "[+] LANTERN_SERVERMASQ setup complete: $@" -# exec "$@" -exec su lantern -s /bin/sh -c "$*" \ No newline at end of file +exec "$@" \ No newline at end of file From c147d5e18a49f13fe2fab29974e22653e1069492 Mon Sep 17 00:00:00 2001 From: Allan Guwatudde Date: Thu, 10 Jul 2025 13:10:10 +0300 Subject: [PATCH 07/10] Fix iptables commands --- Dockerfile | 6 ++++-- servermasq.sh | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 256b9211..852a9a3c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ FROM --platform=$BUILDPLATFORM alpine as user RUN adduser -S -u 10000 lantern FROM alpine -RUN apk add --no-cache iptables +RUN apk add --no-cache iptables su-exec COPY --from=user /etc/passwd /etc/passwd COPY --from=builder /usr/local/bin/http-proxy /usr/local/bin/http-proxy @@ -24,6 +24,8 @@ COPY --from=builder /usr/local/bin/http-proxy /usr/local/bin/http-proxy COPY servermasq.sh /servermasq.sh RUN chmod +x /servermasq.sh -USER lantern +# Run as root because iptables in the servermasq.sh script needs root privileges +# the script itself will switch to the lantern user before executing the http-proxy binary +USER root ENTRYPOINT ["/servermasq.sh"] CMD ["/usr/local/bin/http-proxy"] diff --git a/servermasq.sh b/servermasq.sh index a2382142..b6a7d05a 100644 --- a/servermasq.sh +++ b/servermasq.sh @@ -18,8 +18,8 @@ fi iptables -t nat -N LANTERN_SERVERMASQ 2>/dev/null || true iptables -t nat -F LANTERN_SERVERMASQ 2>/dev/null || true -iptables -t nat -A LANTERN_SERVERMASQ -d "$PROXY_ADDR" ! --dport "$PROXY_PORT" -j DNAT --to-destination "$MASQ_ADDR" +iptables -t nat -A LANTERN_SERVERMASQ -d "$PROXY_ADDR" -p tcp ! --dport "$PROXY_PORT" -j DNAT --to-destination "$MASQ_ADDR" iptables -t nat -A PREROUTING -d "$PROXY_ADDR" -j LANTERN_SERVERMASQ echo "[+] LANTERN_SERVERMASQ setup complete: $@" -exec "$@" \ No newline at end of file +exec su-exec lantern "$@" \ No newline at end of file From 80c44cdf566cd21d1b18942502e8c9eed884ca8a Mon Sep 17 00:00:00 2001 From: Allan Guwatudde Date: Thu, 24 Jul 2025 16:52:06 +0300 Subject: [PATCH 08/10] Fix perms --- servermasq.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/servermasq.sh b/servermasq.sh index b6a7d05a..eccc5266 100644 --- a/servermasq.sh +++ b/servermasq.sh @@ -22,4 +22,5 @@ iptables -t nat -A LANTERN_SERVERMASQ -d "$PROXY_ADDR" -p tcp ! --dport "$PROXY_ iptables -t nat -A PREROUTING -d "$PROXY_ADDR" -j LANTERN_SERVERMASQ echo "[+] LANTERN_SERVERMASQ setup complete: $@" -exec su-exec lantern "$@" \ No newline at end of file +# exec su-exec lantern "$@" +exec "$@" \ No newline at end of file From 22275da40d24caefab9a283bbfec029c05e7cf83 Mon Sep 17 00:00:00 2001 From: Allan Guwatudde Date: Sat, 26 Jul 2025 13:02:47 +0300 Subject: [PATCH 09/10] Fix servermasq rules --- servermasq.sh | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/servermasq.sh b/servermasq.sh index eccc5266..00ba1053 100644 --- a/servermasq.sh +++ b/servermasq.sh @@ -3,6 +3,8 @@ set -e echo "[+] Setting up LANTERN_SERVERMASQ iptables chain..." +PROXY_ADDR=$(hostname -i | awk '{print $1}') + if [ -z "$PROXY_ADDR" ] || [ -z "$PROXY_PORT" ] || [ -z "$MASQ_ADDR" ]; then echo "[~] Required environment variables not set, skipping iptables setup" exec "$@" @@ -11,16 +13,37 @@ fi # The iptables rules can be expalined as follows: # 1. Create a new chain called LANTERN_SERVERMASQ. # 2. Add a rule to the LANTERN_SERVERMASQ chain that matches packets destined for the proxy address -# (PROXY_ADDR) that are not destined for the proxy port (PROXY_PORT), and redirects them to the masqAddr. +# (PROXY_ADDR) that are not destined for the proxy port (PROXY_PORT), and redirects them to the MASQ_ADDR. +# It is important to understand the context in which this docker container is running and this determines the +# value of PROXY_ADDR. PROXY_ADDR is the container's internal IP address. See flow of traffic below: + +# [ External Client (public internet) ] +# | +# v +# [ Public IP of cloud provider ] +# | +# (NAT to private IP) +# | +# v +# [ VM Private IP (e.g., 10.52.x.x) ] +# | +# (Host port → Container port binding) +# | +# (Docker NAT to container IP) +# | +# v +# [ Docker Container IP (e.g., 172.17.x.x) ] + # 3. Add a rule to the PREROUTING chain that matches packets destined for the proxy address (PROXY_ADDR) # and redirects them to the LANTERN_SERVERMASQ chain. +# 4. Add a rule to the POSTROUTING chain that matches packets destined for the MASQ_ADDR and masquerades them in order for responses to be sent back correctly to container. iptables -t nat -N LANTERN_SERVERMASQ 2>/dev/null || true iptables -t nat -F LANTERN_SERVERMASQ 2>/dev/null || true iptables -t nat -A LANTERN_SERVERMASQ -d "$PROXY_ADDR" -p tcp ! --dport "$PROXY_PORT" -j DNAT --to-destination "$MASQ_ADDR" iptables -t nat -A PREROUTING -d "$PROXY_ADDR" -j LANTERN_SERVERMASQ +iptables -t nat -A POSTROUTING -d "$MASQ_ADDR" -j MASQUERADE echo "[+] LANTERN_SERVERMASQ setup complete: $@" -# exec su-exec lantern "$@" -exec "$@" \ No newline at end of file +exec su-exec lantern "$@" \ No newline at end of file From 53780c4833f17979bf3794ff2ecb70d5af1aed6e Mon Sep 17 00:00:00 2001 From: Allan Guwatudde Date: Sat, 26 Jul 2025 13:07:52 +0300 Subject: [PATCH 10/10] Fix typo --- servermasq.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/servermasq.sh b/servermasq.sh index 00ba1053..fb56c582 100644 --- a/servermasq.sh +++ b/servermasq.sh @@ -10,7 +10,7 @@ if [ -z "$PROXY_ADDR" ] || [ -z "$PROXY_PORT" ] || [ -z "$MASQ_ADDR" ]; then exec "$@" fi -# The iptables rules can be expalined as follows: +# The iptables rules can be explained as follows: # 1. Create a new chain called LANTERN_SERVERMASQ. # 2. Add a rule to the LANTERN_SERVERMASQ chain that matches packets destined for the proxy address # (PROXY_ADDR) that are not destined for the proxy port (PROXY_PORT), and redirects them to the MASQ_ADDR.