How to disable and enable internet connection from within Docker container? - shell

I am clearing /etc/resolv.conf to disable network :
sudo mv /etc/resolv.conf /etc/resolv_backup.conf
sudo touch /etc/resolv.conf
Then to enable network:
sudo mv /etc/resolv_backup.conf /etc/resolv.conf
However the resource is busy and I cannot execute these commands.
I want to disable internet from within container and not using:
docker network disconnect [OPTIONS] NETWORK CONTAINER
which does this from server on which container is deployed.
I am using Alpine.

From inside of a container, you are typically forbidden from changing the state of the network:
$ docker run -it --rm alpine:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
929: eth0#if930: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # ip link set eth0 down
ip: ioctl 0x8914 failed: Operation not permitted
This is intentional, for security, to prevent applications from escaping the container sandbox. If you do not need security for your containers (and therefore something I recommend against doing), you can run your container with additional network capabilities:
$ docker run -it --rm --cap-add NET_ADMIN alpine:latest /bin/sh
/ # netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
933: eth0#if934: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # ip link set eth0 down
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Network unreachable
When you try to bring the network back up, you'll need to also setup the default route again to be able to connect to external networks:
/ # ip link set eth0 up
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Network unreachable
/ # netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
/ # route add default gw 172.17.0.1
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=58 time=12.518 ms
64 bytes from 8.8.8.8: seq=1 ttl=58 time=11.481 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 11.481/11.999/12.518 ms

First of all, clearing resolv.conf is not the proper way to disable network for your container. That just avoids name resolution, but you still can use IP connectivity.
To disable the network you should use the proper script depending if you are using systemd or sysV. Something similar to this should work (it depends on your distro):
# /etc/init.d/networking stop
# systemctl stop networking
Hope this helps! :-)

Related

Why can't I configure a static ip on raspberry pi?

I am trying to add a static ip address on raspberry-pi and can't get it working...
ifconfig on pi
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.68.104 netmask 255.255.255.0 broadcast 192.168.68.255
inet6 fe80::1e8e:49a0:5bf:ad41 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:c4:41:05 txqueuelen 1000 (Ethernet)
RX packets 210 bytes 49138 (47.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 189 bytes 28376 (27.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
gateway
192.168.xx.x
/etc/resolv.conf:
nameserver 62.179.104.xxx
nameserver 213.46.228.xxx
dhcpcd.conf settings:
interface wlan0
static ip_address=192.168.68.68/20
static routers=192.168.xx.x
static domain_name_servers=62.179.104.xxx 213.46.228.xxx
I have also tried static ip_address=192.168.68.68/24
reboot pi and hostname -I it still gives me the origin ip: 192.168.68.104
What am I doing wrong here? or Is there another way to set a static ip on raspberry pi?
First of all make sure the dhcpcd service is enabled and running:
sudo service dhcpcd status
If that is not the case:
sudo service dhcpcd start
sudo systemctl enable dhcpcd
Now you can edit the dhcpcd config (like you already did)
sudo nano /etc/dhcpcd.conf
If you have a network cable use: eth0 and on wifi: wlan (not wlan0)
interface eth0
static ip_address=192.168.0.4/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1
Configure this like you need.
After this reboot.
Good luck!

Adding a multicast route to an interface in OSX

I have a VM running in Fusion that I want to hit by routing a specific endpoint address through the virtual ethernet interface (multicast DNS, in particular). First I was sending packets and inspecting with Wireshark noticing that nothing was getting through. Then I thought to check the routing table
$ netstat -rn | grep vmnet8
Destination Gateway Flags Refs Use Netif Expire
172.16.12/24 link#29 UC 2 0 vmnet8 !
172.16.12.255 ff:ff:ff:ff:ff:ff UHLWbI 0 35 vmnet8 !
But unlike other interfaces,
Destination Gateway Flags Refs Use Netif Expire
224.0.0.251 a1:10:5e:50:0:fb UHmLWI 0 732 en0
224.0.0.251 a1:10:5e:50:0:fb UHmLWI 0 0 en8
There was no multicast route. So I added it:
$ sudo route add -host 224.0.0.251 -interface vmnet8
add host 224.0.0.251: gateway vmnet8
And so it was true
$ netstat -rn | grep vmnet8
Destination Gateway Flags Refs Use Netif Expire
172.16.12/24 link#29 UC 2 0 vmnet8 !
172.16.12.255 ff:ff:ff:ff:ff:ff UHLWbI 0 35 vmnet8 !
224.0.0.251 a1:10:5e:50:0:fb UHmLS 0 13 vmnet8
I was also sure to check the interface flags to ensure it had been configured to support multicast
$ ifconfig vmnet8
vmnet8: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:70:61:c0:11:08
inet 172.16.12.1 netmask 0xffffff00 broadcast 172.16.12.255
Still, no multicast packets I send are getting through. I noted that the other interface's multicast route have different flags than the default ones given to my added route. Namely UHmLWI vs UHmLS. The differences I can see are insignificant. From man netstat:
I RTF_IFSCOPE Route is associated with an interface scope
S RTF_STATIC Manually added
W RTF_WASCLONED Route was generated as a result of cloning
Then again, I'm not claiming to be a routing expert. Perhaps a multicast route entry must be made somehow differently?
You'll note that the Use column is non-zero, despite no packets showing in a sniffer.

awk + Print lines before and after match

I know this is a repetitive discussion for most query raised by many person, but I didn't get any apt solution specifically and looking only to awk command utiltiy.
I'm try to filter the MAC and IP address from the ifconfig output.
Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.xx.xx.xx Bcast:192.xx.xx.xx Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Currently I'm trying to print by matching HWADDR then checking second line, followed by next line.
awk '/HWaddr/{printf $NF;printf " ";getline;print $2;}' <filename> | cut -c1-18,24-
xx:xx:xx:xx:xx:xx 192.168.xx.xx
my question how to search to previous line. for eg:- If I match IP address for second line , then how to reverse search for the first line , something like
awk '/192/{printf $2;printf " ";<unknown>;}' <filename>
Here I'm matching for IP starts from 192, based on that checking the previous line. May I know what is the reverse search for getline, I meant what's the directive for reverse search
looking only with awk utility
The easiest way to do this is simply to store the previous line in a variable, and then reference that when you need it. For example, with the following awk script:
/192/ {print lastline}
{ lastline=$0 }
If I give it the following put:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 64:00:6a:7d:06:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.1.24/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 67513sec preferred_lft 67513sec
inet6 fe80::5da1:2401:a725:d2e0/64 scope link
valid_lft forever preferred_lft forever
I get as output:
link/ether 64:00:6a:7d:06:1a brd ff:ff:ff:ff:ff:ff
Of course, interfaces can have multiple addresses, and this would fail
if your interface look like, for example:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 64:00:6a:7d:06:1a brd ff:ff:ff:ff:ff:ff
inet 172.16.32.1/24 brd 172.16.32.255 scope global dynamic eth0
valid_lft 67513sec preferred_lft 67513sec
inet 192.168.1.24/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 67513sec preferred_lft 67513sec
inet6 fe80::5da1:2401:a725:d2e0/64 scope link
valid_lft forever preferred_lft forever
Rather than looking at "the previous line", it's better to explicitly
record the MAC address:
/192/ {print hwaddr}
/link\/ether/ {hwaddr=$0}
This will always print out the value of the previous link/ether line.
Could you please try following and let me know if this helps you.
awk '/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/{print $2 OFS prev} {prev=$0}' Input_file

Packet filter syntax and loopback

I have a tun adapter (OS X) which looks like this:
tun11: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.12.0.2 --> 10.12.0.1 netmask 0xff000000
open (pid 4004)
I send a UDP packet to it:
echo "lol" | nc -4u 10.12.0.1 8000
and able to see it with tcpdump:
➜ build git:(master) ✗ sudo tcpdump -i tun11 -vv
tcpdump: listening on tun11, link-type NULL (BSD loopback), capture size 262144 bytes
14:39:16.669055 IP (tos 0x0, ttl 64, id 21714, offset 0, flags [none], proto UDP (17), length 32)
10.12.0.2.55707 > 10.12.0.1.irdmi: [udp sum ok] UDP, length 4
However I do not see anything when I use capture filter:
➜ build git:(master) ✗ sudo tcpdump -i tun11 udp -vv
tcpdump: listening on tun11, link-type NULL (BSD loopback), capture size 262144 bytes
Same syntax works fine with ethernet adapter:
➜ build git:(master) ✗ sudo tcpdump -i en0 udp -vv
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:42:15.010329 IP (tos 0x0, ttl 128, id 7539, offset 0, flags [none], proto UDP (17), length 291)
xxxx.54915 > 10.64.3.255.54915: [udp sum ok] UDP, length 263
I checked man pcap-filter and found an interesting sentence related to capture filters:
Note that this primitive does not chase the protocol header chain.
Is it related to my problem? Anyway, why capture filters (at least protocol part) do not work for loopback adapters and is there way to make them work?
Addition
Interesting, it works with tun device created by OpenVPN. But I do not understand what is the difference.
tun11: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.12.0.2 --> 10.12.0.1 netmask 0xff000000
open (pid 5792)
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 198.18.1.214 --> 198.18.1.213 netmask 0xffffffff
inet6 xxxx%utun0 prefixlen 64 optimistic scopeid 0xa
inet6 xxxx::1074 prefixlen 64 tentative
nd6 options=1<PERFORMNUD>

How to enable routing in OS X El Capitan

I've got a Linux VMware virtual machine (guest) configured with a NAT adapter on a 192.168.56.0 subnet. Its IP address is 192.168.56.128 and my Mac (host) got 192.168.56.1. Guest's default gateway is automatically set to 192.168.56.2 and is able to ping google. Host's Wi-Fi IP is 192.168.0.2,
I've configured my Wi-Fi router with following routing table to forward packets of 192.168.56.0 to 192.168.0.2 (my Mac)
pi#raspberrypi ~ $ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.16.4.1 0.0.0.0 UG 0 0 0 eth0
172.16.4.0 * 255.255.252.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 wlan0
192.168.56.0 192.168.0.2 255.255.255.255 UGH 0 0 0 wlan0
192.168.57.0 192.168.0.2 255.255.255.255 UGH 0 0 0 wlan0
But I'm unable to ping guest from any other device on the Wi-Fi network (192.168.0.0). So it's obvious that my Mac running OS X El Capitan is not forwarding the packets from 192.168.0.0 to 192.168.56.0
Not sure about your specific case. In my case I just had two ethernets on the same MacMini and one host being one of these ethernets. The only thing I had to do is sudo sysctl -w net.inet.ip.forwarding=1
https://roelant.net/2015/share-your-vpn-mac-el-capitan.html however noted another variable as well (sudo sysctl -w net.inet.ip.fw.enable=1) and went into a NAT scenario (which I did not need)

Resources