Skip to content

Add iptables to http-proxy docker images #658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add iptables to http-proxy docker images #658

wants to merge 10 commits into from

Conversation

AGMETEOR
Copy link
Contributor

@AGMETEOR AGMETEOR commented Jul 4, 2025

No description provided.

@AGMETEOR AGMETEOR self-assigned this Jul 4, 2025
@AGMETEOR AGMETEOR requested a review from Copilot July 4, 2025 11:36
Copilot

This comment was marked as outdated.

Sign in to view

@AGMETEOR AGMETEOR requested a review from Copilot July 4, 2025 16:12
Copilot
Copilot AI reviewed Jul 4, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds an iptables-based masquerading setup to the http-proxy container, driven by environment variables.

  • Install and enable iptables in the Docker runtime image
  • Introduce servermasq.sh to configure a custom NAT chain at container start
  • Update Dockerfile to run servermasq.sh as the entrypoint before launching the proxy

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
servermasq.sh New startup script that creates/flushes a LANTERN_SERVERMASQ chain and applies DNAT rules based on $PROXY_ADDR, $PROXY_PORT, and $MASQ_ADDR
Dockerfile Installs iptables, copies and marks servermasq.sh executable, and sets it as the container entrypoint prior to running the proxy
Comments suppressed due to low confidence (1)

servermasq.sh:1

  • [nitpick] Add a header comment describing the purpose of this script and its required environment variables (PROXY_ADDR, PROXY_PORT, MASQ_ADDR) to improve maintainability.
#!/bin/sh

Dockerfile
Comment on lines 27 to 28
USER lantern
ENTRYPOINT ["/servermasq.sh"]
Copy link

Copilot AI Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The servermasq.sh entrypoint executes iptables commands, which require root privileges, but the container switches to the unprivileged lantern user before running the script. Consider moving USER lantern below the entrypoint or running the iptables setup as root and then dropping privileges before starting the proxy.

Suggested change
USER lantern
ENTRYPOINT ["/servermasq.sh"]
ENTRYPOINT ["/servermasq.sh"]
USER lantern

Copilot uses AI. Check for mistakes.

@AGMETEOR AGMETEOR requested a review from Crosse July 7, 2025 09:30
Crosse
Crosse approved these changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@Crosse Crosse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with this, but I do think we need to test it on a single track first before rolling it out fleet-wide.

servermasq.sh Outdated
exec "$@"
fi

# The iptables rules can be expalined as follows:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# The iptables rules can be expalined as follows:
# The iptables rules can be explained as follows:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@Crosse Crosse Crosse approved these changes

Assignees

@AGMETEOR AGMETEOR

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AGMETEOR @Crosse