App outgoing bind interface

Apps and Virtualization
, ,
1

The update to apps to allow binding an app to a particular IP address alias is great. I’m really glad to see this improvement.

Something I’ve noticed is that while sockets exposed by the app respect this setting (e.g. port TCP 32400 in Plex will bind to the specified IP address alias) any outgoing connection made from the container (e.g. Plex calling home to Plex servers from an ephemeral port) is still bound to the TrueNAS IP address, not the specified alias. It would be very useful to have all connections originate from the one alias from an App (e.g. so that firewall ACLs can be written with a IP address in mind for each app).

Is there something I’ve missed that should allow this? Or is this not currently possible?

Cheers.

2

No currently possible, as it’s all originating from one IP

3

That’s ok. It’s still a big improvement.

Just to further scratch, currently all outgoing connections originate from the host’s main IP addr and don’t take into account the configured alias IP addr for service sockets on an app… What would it take to improve this? Would we be talking about setting up a docker network for each container? Or is such a thing not currently possible at all with docker?

I’m just wondering if such a thing can be done through the docker CLI even if the TrueNAS GUI doesn’t currently support it.

Thanks.

4

You could learn how to do MACVLAN → Macvlan: All You Need to Know - SynchroNet things like this

5

I’ve figured out how to do it, albeit temporarily - these settings will probably need to be performed each time the container is stopped/started.

For anyone interested:

Say you’ve got a Plex app and you’ve specified IP address 192.168.1.11 as the Host IP address for the app, which is an alias on the TrueNAS nic (the first TrueNAS IP address being 192.168.1.10). If you query docker you’ll see port 32400 is bound to that address:

% sudo docker ps -a | grep pms-docker
5f906db91545 plexinc/pms-docker:plexpass  "/init" 13 days ago Up 13 days (healthy) 3005/tcp, 1900/udp, 32410/udp, 8324/tcp, 32412-32414/udp, 32469/tcp, 192.168.1.11:32400->32400/tcp   ix-plex-plex-1

Great, but as I explained, any outgoing connections from the app will originate from 192.168.1.10, which isn’t great if you want to use a firewall to police what Plex container is talking to.

Check the docker network that Plex is using:

% sudo docker network ls | grep plex
cddfa6489de7   ix-plex_default                  bridge    local

Keep that network ID, and query iptables with it. You’ll see something like this:

% sudo iptables-save | grep cddfa6489de7 | grep POSTROUTING
-A POSTROUTING -s 172.16.2.0/24 ! -o br-cddfa6489de7 -j MASQUERADE

We want to replace that rule (making sure the -s source address is the same in the appended rule as on the deleted one):

# The next line removes the above masquerading rule
sudo iptables -t nat -D POSTROUTING -s 172.16.2.0/24 ! -o br-cddfa6489de7 -j MASQUERADE
# The next line adds a new SNAT rule
sudo iptables -t nat -A POSTROUTING -s 172.16.2.0/24 ! -o br-cddfa6489de7 -j SNAT --to-source 192.168.1.11

Voila, all outbound connections from Plex will originate from 192.168.1.11 instead of 192.168.1.10 and you can effectively police them from a firewall.

The next thing I need to figure out is how to do this programmatically not manually.

2 Likes