Run custom command with docker-compose

Jonky · January 20, 2023, 9:22am

Hej,

i need your help guys and girls.
I'm trying to run a custom script after containerstart. I figured out, that you can use command: to run a custom command. But using ist, breaks my pihole.
Is there anyone having an idea? Thanks a lot for your help!

Docker-Compose:

services:
  pihole:
    container_name: pihole
    hostname: pihole
    image: pihole/pihole:latest
    restart: unless-stopped
    command: ["cmd.sh", "/etc/scripts/custom_script.sh" ]
...

Script:

#!/bin/sh
ip route add 10.13.13.0/24 via 172.30.9.4; ip route add 10.8.0.0/24 via 172.30.9.5

Bucking_Horn · January 20, 2023, 9:46am

That's a question for the Docker community.

But seeing that you are trying to mangle ip tables rules:
They may not yield the expected results, as Docker itself employs a rather elaborate set of rules to isolate the networks it manages internally from the host's network.

What is your intention in adding those rules?

Jonky · January 20, 2023, 9:50am

Hej,
ok, but i think im overwriting with command: some pihole-container image related stuff. So i thought someone here knows the correct way, since it depends on the image itself.

It works pretty fine. I need these rules to see the clients IPs of my wireguard-vpn container. Having there set up the right iptables-rules i can see the clients ips.

Bucking_Horn · January 20, 2023, 9:54am

Are you running wireguard as a Docker container as well?

Jonky · January 20, 2023, 9:57am

yes

Bucking_Horn · January 20, 2023, 10:07am

Then it shouldn't be necessary to manipulate iptables.
Just put Wireguard and Pi-hole on the same Docker network.
Probably best to put them in the same docker-compose.

Jonky · January 20, 2023, 10:11am

nope, that's not working. Or at least I haven't figured it out. To my understanding, wg has its own subnet within the container and is NATing all outgoing traffic. So what you see without the rules is the wg-container IP. Setting up following in the wg-config:

iptables -t nat -D POSTROUTING -d 172.30.9.3 -j ACCEPT; iptables -t nat -D POSTROUTING -s 172.30.9.3 -j ACCEPT;

and not using ip route within the pi-container leads to a loss of packets.
Adding the route in the pi-container solves the problem.

Bucking_Horn · January 20, 2023, 11:39am

I don't think that's happening on the WG side, in the sense of WG replacing a client IP by its own. Of course, I can't know about your wireguard container configuration, but there's no MASQUERADE in those statements, at least in the ones shown.
In addition, if your assumption would be true, then you couldn't make amends for that in Pi-hole's container: The packets would already arrive with their original source IP stripped and replaced by wireguard's IP.

This would suggest that it's Docker's inter-container routing that would masquerade the client source IPs.

Did you try pointing your Wireguard container's DNS to Pi-hole's Docker internal IP?

Jonky · January 31, 2023, 3:50pm

To be honest i don't know. As far as i know, wg is doing masquerade.

But my primary problem isn't solved. And I still think, that it is a pihole and docker related issue since it depends on the docker-pihole image.
So anyone out there who can help?