This Dockerfile needs to be run with the NET_ADMIN capability, and a TUN device passed through.

A busybox based Dockerfile to run Iodine - a program to tunnel IP over DNS requests. For more information on Iodine, see the official website.

This dockerfile requires some environment variables set to run. $IODINE_HOST must be set to the external hostname DNS requests are coming from, and $IODINE_PASS must be set to the password clients will use to connect. You may also set $IODINE_IP to define the range of IPs that Iodine will assign clients. This can be defined as the start IP (such as 10.0.0.1), or the subnet to assign from (such as 10.0.0.0/24). However this is not a required variable and defaults to 10.42.16.1/24, which should be sufficient for most users. $IPTABLES can also be used to define custom routing rules (see below). These variables can also be defined using a environment variable file.

Packets that come in via Iodine can be treated in a number of ways. By default, iptables is configured to masqurade the packets, and then send them on via the eth0 interface Docker provides. For a basic usage scenario, these rules are fine, however as Iodine does not encrypt its traffic it may be advisable to route traffic through another service, such as OpenVPN. Below are some examples of how to configure iptables to achieve some common scenarios.

Allow all traffic to a certain IP:
IPTABLES="iptables -t filter -A FORWARD -i dns0 -o eth0 -d 1.2.3.4 -j ACCEPT"
Allow all traffic to any OpenVPN server on the network:
IPTABLES="iptables -t filter -A FORWARD -i dns0 -o eth0 -p udp --dport 1194 -j ACCEPT"
Allow any port except port 22:
IPTABLES="iptables -t filter -A FORWARD -i dns0 -o eth0 ! --dport 22 -j ACCEPT"
Allow only web traffic (ports 80 and 443, tcp):
IPTABLES="iptables -t filter -A FORWARD -i dns0 -o eth0 -p tcp --dport 80 -j ACCEPT && iptables -t filter -A FORWARD -i dns0 -o eth0 -p tcp --dport 443 -j ACCEPT"

Note: Iodine does not encrypt traffic, if you require security, consider using a VPN on top of Iodine.

Bare minimum:
docker run -p 53:53/udp --cap-add=NET_ADMIN --device /dev/net/tun -e IODINE_HOST=tunnel.example.com -e IODINE_PASS=password spritsail/iodine
All variables:
docker run -d --name Iodine -p 53:53/udp --cap-add=NET_ADMIN --device /dev/net/tun -e IODINE_HOST=tunnel.example.com -e IODINE_PASS=password -e IODINE_IP=10.0.0.1 -e IPTABLES="iptables -t filter -A FORWARD -i dns0 -o eth0 -d 1.2.3.4 -j ACCEPT" spritsail/iodine