From: PierluigiFrullani <pierluigi.frullani@frumar.it>
To: netfilter@vger.kernel.org, George Shuklin <george.shuklin@gmail.com>
Subject: Re: coexistence between nftables and iptables ?
Date: Thu, 06 Nov 2025 14:08:22 +0100 [thread overview]
Message-ID: <30930903.VsfAaAtOVx@topolinux> (raw)
In-Reply-To: <203843c7-371e-4e5d-9624-c3e00db722c0@gmail.com>
On Thursday, 6 November 2025 13:13:52 CET George Shuklin wrote:
> There is DOCKER-USER chain for those things.
Not really:
Or at least not really for my need:
# iptables -L -v -n | grep ^Cha | grep DO
Chain DOCKER (3 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
Chain DOCKER-USER (1 references)
~# iptables -t nat -L -v -n | grep ^Cha | grep DO
Chain DOCKER (2 references)
I do not need to play with DOCKER-USER chain. Rules created by daemon for me are fine.
I do need to modify all other rules ( INPUT-FORWARD-OUTPUT PRE and POSTROUTING ) for all other needs __except__ dockers, but I do this, usually by flushing all availables chains ( at least to be sure that at boot everything works )
In my firewall start script I have:
/usr/sbin/iptables -w -F
/usr/sbin/iptables -w -t nat -F
/usr/sbin/iptables -w -t raw -F
/usr/sbin/iptables -w -X
Obviously the -F and the -X will "kill" every rule and chain, thus also DOCKERs one ( and those that call the jump to DOCKERs )
>
> Don't try to use 'iptables for docker, nftables for filtering, it will
> cause a lot of bugs and issues.
That's my suspect :)
> See ready-made template which allow to add firewall rules into nftables
> to filter ports for both local (non-docker) and docker-hosted applications.
>
> https://github.com/lidofinance/ansible-collection-server/blob/master/roles/docker_iptables/templates/iptables.rules.j2
This link leads to an 404 page :(
> (If you use Ansible, you can grab ready-made collection from Galaxy
> https://galaxy.ansible.com/ui/repo/published/lidofinance/server/docs/)
>
Thanks
Pigi
prev parent reply other threads:[~2025-11-06 13:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-06 9:44 coexistence between nftables and iptables ? PierluigiFrullani
2025-11-06 12:13 ` George Shuklin
2025-11-06 13:08 ` PierluigiFrullani [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=30930903.VsfAaAtOVx@topolinux \
--to=pierluigi.frullani@frumar.it \
--cc=george.shuklin@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.