This is the first installment in a series of blog posts. The other parts are:
The latest update to Turbo introduces new IP address restriction capabilities and routing syntax.
IMPORTANT: Scripts using the previous routing commands must be updated to use the new syntax.
Previously it was only possible to control inbound traffic with flags --route-add, --route-block, and --network. With the latest update, you can now specify whitelists and blacklists on outbound container network traffic as well. To make this possible, the previous syntax of the --route-add flag was updated to follow a more generic scheme:
The new syntax for port direction follows the form <protocol>://<containerPort>:<hostPort>.
For example, to map container TCP port 8080 to host port 80, you would use the command --route-add=tcp://8080:80.
(Previously the syntax followed the form <hostPort>:<containerPort>/<protocol> and the equivalent command would have been --route-add=80:8080/tcp.)
In addition, a new protocol ip is supported, which applies routing to all IP-based communication. For example, the command --route-block=ip blocks all IP traffic. Subsequent --route-add commands can be appended to whitelist specific IP addresses.
Finally, it is now possible to map a container port to a random high host port, which can subsequently be queried with the turbo netstat command. To map container TCP port 4321 to a high random host port, use the command --route-add=tcp://4321:0. The 0 here represents a randomly assigned high port.
Sample: PuTTY Whitelisting
PuTTY is a popular free Telnet client for Windows. To create a PuTTY container with all outbound access blocked except to IP address 10.0.0.34:
turbo new putty --route-block=ip --route-add=ip://10.0.0.34
Now let’s reroute all traffic from 18.104.22.168 to 10.0.0.34, making it possible to connect to host at 10.0.0.34 typing address 22.214.171.124 in PuTTY:
turbo new putty --route-block=ip --route-add=ip://10.0.0.34 --route-add=ip://126.96.36.199:10.0.0.34
It is also possible to block or map IP ranges using the CIDR notation. For example, the following command allows PuTTY in the container to connect only to hosts in the 192.168.1.0/24 network:
turbo new putty --route-block=ip --route-add=ip://192.168.1.0/24
To disallow connection to a set of specific set of IP addresses or ranges (“blacklisting”), simply specify them in the --route-block parameter:
turbo new putty --route-block=ip://10.0.0.34
The --route-add and --route-block commands are also supported within the commit verb, so it is easy to save custom network stacks into deployable images.