Excluding a container from proxy rerouting

I am using the Supervisor host-config to route all the traffic from the device via a proxy. Is there a way to specify that one of the running containers bypass the setting, and instead just connect directly? It seems the noProxy string is for specifying services on the receiving end, but I am looking to specify a service on the sending end (i.e. a container) to bypass the proxy.

Hi @maggie,

According to the redsocks website [1], it says the connection redirection is system wide, and additionally, I didn’t see any configs in the sample redsocks.conf provided by the GitHub repo [2]. So, it sounds like the answer is no, at least not through the redsocks service. However, you may be able to manipulate iptables, but I’m not too knowledgeable about this area. See [3] for a good starting point which proposes marking packets, then setting up iptables rules to handle them. I’d recommend developing this independently of balena first to see how it could be possible, since balena adds some rules to iptables and the Supervisor maintains the filter table, meaning all your rules have to go into the raw table. (See issue [4]). This adds a layer of complexity that may make experimentation difficult.

Let us know how it goes!


[1] redsocks - transparent socks redirector
[2] redsocks/redsocks.conf.example at master · darkk/redsocks · GitHub
[3] routing - iptables - Target to route packet to specific interface? - Server Fault
[4] Modifications to firewall (iptables) always removed by Supervisor · Issue #1482 · balena-os/balena-supervisor · GitHub

If this works outside of balena, you can open a feature request in balena-os/balena-supervisor on GitHub to bring it to balena. (It may not be possible without some changes due to the existing issue with Supervisor and iptables)