.. title:: Bridged Network Source NAT Bridged Network Source NAT ========================== Overview -------- Administrators may desire to provision Kasm sessions that egress out of a specific IP assigned to the host. This might be useful if the network utilizes special policy routes based on source IPs to direct traffic. In this example we will demonstrate how to: * Create a custom docker network using the bridge driver. * Configure the docker network to egress out of defined interface IP. * Configure a Kasm Image to always be provisioned on the desired docker network, using the **Restrict to Docker Network** :doc:`Image Setting` In this model, the Kasm sessions will be given a NATed address inside the docker network pool (e.g 172.19.0.0/16) but when the traffic leaves the docker host it will be utilize a specific IP that belongs to one of the hosts interfaces. .. figure:: /images/bridged_network_source_nat/diagram.png :width: 70% :align: center **Desired Configuration** Environment ----------- **Network Interfaces** +---------------+-------------------+ | **Interface** | **IP(s)** | +===============+===================+ | enp0s3 | 192.168.4.53/24 | | | 192.168.4.153/24 | +---------------+-------------------+ | enp0s8 | 192.168.56.103/24 | +---------------+-------------------+ .. code-block:: Bash ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:be:61:fa brd ff:ff:ff:ff:ff:ff inet 192.168.4.53/22 brd 192.168.7.255 scope global noprefixroute dynamic enp0s3 valid_lft 12112sec preferred_lft 12112sec inet 192.168.4.153/24 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::e7be:8f90:49c:ec27/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:b4:47:93 brd ff:ff:ff:ff:ff:ff inet 192.168.56.103/24 brd 192.168.56.255 scope global noprefixroute dynamic enp0s8 valid_lft 506sec preferred_lft 506sec inet6 fe80::dbad:e1ea:d353:c4a/64 scope link noprefixroute valid_lft forever preferred_lft forever Docker Network Configuration ---------------------------- .. note:: The docker network names used in this example are intentionally prefixed with :code:`z_` . Due to a quirk :code:`docker` will choose the default route for the container based on the name of the docker network ordered alphabetically. We name these custom networks accordingly so that they won't cause interruptions with the Kasm service containers or user workflow. #. Create a bridged docker network named :code:`z_custom_a` .. code-block:: Bash sudo docker network create \ --driver bridge \ --attachable \ --opt "com.docker.network.bridge.name"="z_custom_a" \ --opt "com.docker.network.bridge.enable_ip_masquerade"="false" \ z_custom_a #. After the network is created, get the auto-generated subnet .. code-block:: Bash sudo docker inspect z_custom_a | grep Subnet "Subnet": "172.19.0.0/16", #. Update :code:`iptables` to source nat traffic from the custom docker network to the defined IP .. code-block:: Bash sudo iptables -t nat -A POSTROUTING -s 172.19.0.0/16 ! -o z_custom_a -j SNAT --to-source 192.168.4.153 #. Create a bridged docker network named :code:`z_custom_b`. .. code-block:: Bash sudo docker network create \ --driver bridge \ --attachable \ --opt "com.docker.network.bridge.name"="z_custom_b" \ --opt "com.docker.network.bridge.enable_ip_masquerade"="false" \ z_custom_b #. After the network is created, get the auto-generated subnet .. code-block:: Bash sudo docker inspect z_custom_b | grep Subnet "Subnet": "172.20.0.0/16", #. Update `iptables` to source nat traffic from the custom docker network to the defined IP .. code-block:: Bash sudo iptables -t nat -A POSTROUTING -s 172.20.0.0/16 ! -o z_custom_b -j SNAT --to-source 192.168.56.103 #. The generated briged interfaces can also be observed using `ip a` .. code-block:: Bash ip a ... 32: z_custom_a: mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:5e:07:7a:e6 brd ff:ff:ff:ff:ff:ff inet 172.19.0.1/16 brd 172.19.255.255 scope global z_custom_a valid_lft forever preferred_lft forever 33: z_custom_b: mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:f4:a5:a7:ca brd ff:ff:ff:ff:ff:ff inet 172.20.0.1/16 brd 172.20.255.255 scope global z_custom_b valid_lft forever preferred_lft forever Kasm Image Configuration ------------------------ #. Log into the Kasm UI as an administrator. #. Select Images. #. Select **Edit** next to the desired Image. #. Check **Restrict Image to Docker Network** and select the desired network .. figure:: /images/bridged_network_source_nat/restrict_to_network.png :width: 100% :align: center **Restrict Image to Docker Network** Create a new session using the Image and verify the configurations. In this example we make a request to a web server that returns our IP .. figure:: /images/bridged_network_source_nat/verification.png :width: 100% :align: center **Verification**