Search code examples
dockeriptablesdocker-swarmdocker-network

Auto-update iptables forwarding rules to the correspondent docker service port on a docker swarm

Goal: Have a script-like which will call Docker API to create automatically a new service to a new client host and then, update iptables forwarding rules on all swarm nodes accordingly to the new service port.

Question: What is the best/robust approach to dynamically uptable iptables rules across multiple swarm nodes in order to easily add new client apps to new client Hosts.

Flow of the scenario:

  1. Client hosts connect directly to network load balancer on port 80/tcp.
  2. Network balancer receives traffic from client Hosts and redirect to the pool hosts which are the docker swarm nodes.
  3. Docker swarm nodes only allow connections on port 80/tcp.
  4. IPTables rules on docker swarm nodes depending on the client (source IP) will redirect the traffic to the right docker swarm service (tcp port).

Scenario Image:

Scenario (example):

  • Docker Swarm Hosts

    • master01 = ip 10.20.30.100
    • node01 = ip 10.20.30.161
    • node02 = ip 10.20.30.162

  • Docker Swarm Services

    • app01 = port 8081/tcp (belongs to client01)
    • app02 = port 8082/tcp (belongs to client02)

  • Client Hosts

    • client01 = ip 192.168.10.100
    • client02 = ip 192.168.10.200

  • Network LoadBalancer

    • network-lb = ip 10.10.10.10
    • pool = ip [10.20.30.161, 10.20.30.162]

  • IPTables Rules on Swarm Nodes

    • iptables -t nat -I PREROUTING -p tcp -s 192.168.10.100 --dport 80 -j REDIRECT --to-port 8081
    • iptables -t nat -I PREROUTING -p tcp -s 192.168.10.200 --dport 80 -j REDIRECT --to-port 8082
Solution

  • OK some quick items that may help you decide on a solution. This is as of 17.12 release:

    • Sounds like you got this part right, but as a reminder, Docker services are designed so all replicas of that service are identical, and not unique in terms of configuration.
    • Docker Overlay networks, Routing Mesh, and VIP/DNSRR features cannot route traffic based on client (originating) IP.
    • Given that Swarm manages a lot of iptables rules, I'd be concerned about adding my own external iptables editing solution. It might get tricky to make sure both play nice together... but I've never tried it.
    • The most "Docker way" possible for client-IP-based connection routing is likely to use Traefik or Docker Flow Proxy, which both are Swarm-aware and use nginx/haproxy to route traffic for incoming connections to a Swarm. They usually do this based on requested DNS name or URL path, but they should be able to make Swarm service routing decisions based on client IP.