This repository has been archived by the owner on Jun 14, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 91
/
prepare_proxy.sh
executable file
·92 lines (78 loc) · 3.39 KB
/
prepare_proxy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/bin/bash
# Envoy initialization script responsible for setting up port forwarding.
set -o errexit
set -o nounset
set -o pipefail
usage() {
echo "${0} -p PORT -u UID [-h]"
echo ''
echo ' -p: Specify the envoy port to which redirect all TCP traffic'
echo ' -u: Specify the UID of the user for which the redirection is not'
echo ' applied. Typically, this is the UID of the proxy container'
echo ' -i: Comma separated list of IP ranges in CIDR form to redirect to envoy (optional)'
echo ''
}
IP_RANGES_INCLUDE=""
while getopts ":p:u:e:i:h" opt; do
case ${opt} in
p)
ENVOY_PORT=${OPTARG}
;;
u)
ENVOY_UID=${OPTARG}
;;
i)
IP_RANGES_INCLUDE=${OPTARG}
;;
h)
usage
exit 0
;;
\?)
echo "Invalid option: -$OPTARG" >&2
usage
exit 1
;;
esac
done
if [[ -z "${ENVOY_PORT-}" ]] || [[ -z "${ENVOY_UID-}" ]]; then
echo "Please set both -p and -u parameters"
usage
exit 1
fi
# Create a new chain for redirecting inbound and outbound traffic to
# the common Envoy port.
iptables -t nat -N ISTIO_REDIRECT -m comment --comment "istio/redirect-common-chain"
iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-port ${ENVOY_PORT} -m comment --comment "istio/redirect-to-envoy-port"
# Redirect all inbound traffic to Envoy.
iptables -t nat -A PREROUTING -j ISTIO_REDIRECT -m comment --comment "istio/install-istio-prerouting"
# Create a new chain for selectively redirecting outbound packets to
# Envoy.
iptables -t nat -N ISTIO_OUTPUT -m comment --comment "istio/common-output-chain"
# Jump to the ISTIO_OUTPUT chain from OUTPUT chain for all tcp
# traffic. '-j RETURN' bypasses Envoy and '-j ISTIO_REDIRECT'
# redirects to Envoy.
iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT -m comment --comment "istio/install-istio-output"
# Redirect app calls to back itself via Envoy when using the service VIP or endpoint
# address, e.g. appN => Envoy (client) => Envoy (server) => appN.
iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT -m comment --comment "istio/redirect-implicit-loopback"
# Avoid infinite loops. Don't redirect Envoy traffic directly back to
# Envoy for non-loopback traffic.
iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner ${ENVOY_UID} -j RETURN -m comment --comment "istio/bypass-envoy"
# Skip redirection for Envoy-aware applications and
# container-to-container traffic both of which explicitly use
# localhost.
iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN -m comment --comment "istio/bypass-explicit-loopback"
# All outbound traffic will be redirected to Envoy by default. If
# IP_RANGES_INCLUDE is non-empty, only traffic bound for the
# destinations specified in this list will be captured.
IFS=,
if [ "${IP_RANGES_INCLUDE}" != "" ]; then
for cidr in ${IP_RANGES_INCLUDE}; do
iptables -t nat -A ISTIO_OUTPUT -d ${cidr} -j ISTIO_REDIRECT -m comment --comment "istio/redirect-ip-range-${cidr}"
done
iptables -t nat -A ISTIO_OUTPUT -j RETURN -m comment --comment "istio/bypass-default-outbound"
else
iptables -t nat -A ISTIO_OUTPUT -j ISTIO_REDIRECT -m comment --comment "istio/redirect-default-outbound"
fi
exit 0