Modify iptables rules to allow exgress traffic from within the container. See BREV-2599.

Author: brycelelbach

v1/providers/shadeform/firewall.go

@@ -15,10 +15,26 @@ const (
 	ufwDefaultAllowPort2222 = "ufw allow 2222/tcp"
 	ufwForceEnable          = "ufw --force enable"
 
+	// Clear DOCKER-USER policy.
 	ipTablesResetDockerUserChain            = "iptables -F DOCKER-USER"
-	ipTablesAllowDockerUserOutbound         = "iptables -A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+
+	// Allow return traffic.
+    ipTablesAllowDockerUserOutbound         = "iptables -A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+
+	// Allow containers to initiate outbound traffic (default bridge + user-defined bridges).
+	ipTablesAllowDockerUserOutboundInit0    = "iptables -A DOCKER-USER -i docker0 ! -o docker0 -j ACCEPT"
+	ipTablesAllowDockerUserOutboundInit1    = "iptables -A DOCKER-USER -i br+     ! -o br+     -j ACCEPT"
+
+    // Allow container-to-container on the same bridge.
+	ipTablesAllowDockerUserDockerToDocker0  = "iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT"
+    ipTablesAllowDockerUserDockerToDocker1  = "iptables -A DOCKER-USER -i br+     -o br+     -j ACCEPT"
+
+	// Allow inbound traffic on the loopback interface.
 	ipTablesAllowDockerUserInpboundLoopback = "iptables -A DOCKER-USER -i lo -j ACCEPT"
+
+	// Drop everything else.
 	ipTablesDropDockerUserInbound           = "iptables -A DOCKER-USER -j DROP"
+
 	ipTablesReturnDockerUser                = "iptables -A DOCKER-USER -j RETURN"
 )
 
@@ -63,6 +79,10 @@ func (c *ShadeformClient) getIPTablesCommands() []string {
 	commands := []string{
 		ipTablesResetDockerUserChain,
 		ipTablesAllowDockerUserOutbound,
+		ipTablesAllowDockerUserOutboundInit0,
+		ipTablesAllowDockerUserOutboundInit1,
+		ipTablesAllowDockerUserDockerToDocker0,
+		ipTablesAllowDockerUserDockerToDocker1,
 		ipTablesAllowDockerUserInpboundLoopback,
 		ipTablesDropDockerUserInbound,
 		ipTablesReturnDockerUser, // Expected by Docker