NFT: Drop to Docker bridge

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* NFT: Drop to Docker bridge
@ 2024-04-23 19:43 Alberto
  2024-04-25 14:14 ` Alberto
  0 siblings, 1 reply; 2+ messages in thread
From: Alberto @ 2024-04-23 19:43 UTC (permalink / raw)
  To: netfilter

Hi,
I'm configuring my NFTABLES policy with the following scenario:

- Eth0: Wan Interface
- Br0: Lan Interface (bridge with several ports).
- Docker0: Default Docker bridge (unused).
- br-9028b4c107a5: Docker bridge interface between operative containers.

IPTABLES Policy Docker is disabled ({ "iptables": false } in
/etc/Docker/Daemon.json), and I define global policy.

I want to define a Policy with Access to WAN (eth0) for LAN (Br0) and Docker
containers (Br-9028b4c107a5) interfaces, but without Access from WAN, and
total Access between LAN (Br0) and Docker Containers (Br-9028b4c107a5).

My Policy:

table ip alb-nat {
        chain PREROUTING {
                type nat hook prerouting priority 30; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority 30; policy accept;
                oifname "eth0" ip saddr 192.168.1.0/24 masquerade
                oifname "eth0" ip saddr 172.22.0.0/24 masquerade
        }
}
table inet alb-fw {
        chain BASE_CHECKS {
                ct state vmap { invalid : drop, established : accept,
related : accept, new : accept }
        }
        chain INPUT {
                type filter hook input priority filter + 10; policy drop;
                jump BASE_CHECKS
                iifname "lo" accept
                iifname "br0" ip saddr 192.168.1.0/24 accept
                log prefix "[NFTABLES] Denied: " flags all
        }
        chain FORWARD {
                type filter hook forward priority filter + 10; policy drop;
                jump BASE_CHECKS
                iifname "br0" oifname "br-9028b4c107a5" ip saddr
192.168.1.0/24 accept
                iifname "br-9028b4c107a5" oifname "br0" ip saddr
172.22.0.0/24 accept
        }
        chain OUTPUT {
                type filter hook output priority filter + 10
                jump BASE_CHECKS
        }
}

But always can Access to containers from WAN.
I don't know why, because FORWARD Chain is DROP.

Can somebody give me a hint to solve the problem?

Best Regards,
Alberto


^ permalink raw reply	[flat|nested] 2+ messages in thread

* RE: Drop to Docker bridge
  2024-04-23 19:43 NFT: Drop to Docker bridge Alberto
@ 2024-04-25 14:14 ` Alberto
  0 siblings, 0 replies; 2+ messages in thread
From: Alberto @ 2024-04-25 14:14 UTC (permalink / raw)
  To: netfilter

-----Mensaje original-----
De: Alberto 
Enviado el: martes, 23 de abril de 2024 21:44
Para: netfilter@vger.kernel.org
Asunto: NFT: Drop to Docker bridge

Hi,
I'm configuring my NFTABLES policy with the following scenario:

- Eth0: Wan Interface
- Br0: Lan Interface (bridge with several ports).
- Docker0: Default Docker bridge (unused).
- br-9028b4c107a5: Docker bridge interface between operative containers.

IPTABLES Policy Docker is disabled ({ "iptables": false } in
/etc/Docker/Daemon.json), and I define global policy.

I want to define a Policy with Access to WAN (eth0) for LAN (Br0) and Docker
containers (Br-9028b4c107a5) interfaces, but without Access from WAN, and
total Access between LAN (Br0) and Docker Containers (Br-9028b4c107a5).

My Policy:

table ip alb-nat {
        chain PREROUTING {
                type nat hook prerouting priority 30; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority 30; policy accept;
                oifname "eth0" ip saddr 192.168.1.0/24 masquerade
                oifname "eth0" ip saddr 172.22.0.0/24 masquerade
        }
}
table inet alb-fw {
        chain BASE_CHECKS {
                ct state vmap { invalid : drop, established : accept,
related : accept, new : accept }
        }
        chain INPUT {
                type filter hook input priority filter + 10; policy drop;
                jump BASE_CHECKS
                iifname "lo" accept
                iifname "br0" ip saddr 192.168.1.0/24 accept
                log prefix "[NFTABLES] Denied: " flags all
        }
        chain FORWARD {
                type filter hook forward priority filter + 10; policy drop;
                jump BASE_CHECKS
                iifname "br0" oifname "br-9028b4c107a5" ip saddr
192.168.1.0/24 accept
                iifname "br-9028b4c107a5" oifname "br0" ip saddr
172.22.0.0/24 accept
        }
        chain OUTPUT {
                type filter hook output priority filter + 10
                jump BASE_CHECKS
        }
}

But always can Access to containers from WAN.
I don't know why, because FORWARD Chain is DROP.

Can somebody give me a hint to solve the problem?

I answer to myself (if anybody is interested)...

Problem was BASE_CHECKS chain definition:

Somewhere I saw three states in stablished connections phase (new, related
and established), but "new" state was the problem.

I remove it, and outside Access to containers is gone.

Regards,


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-04-25 14:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-23 19:43 NFT: Drop to Docker bridge Alberto
2024-04-25 14:14 ` Alberto

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).