From: "Alberto" <alberto@bersol.info>
To: <netfilter@vger.kernel.org>
Subject: RE: Drop to Docker bridge
Date: Thu, 25 Apr 2024 16:14:14 +0200 [thread overview]
Message-ID: <016201da971a$db52ee00$91f8ca00$@bersol.info> (raw)
In-Reply-To: <006f01da95b6$93fc6870$bbf53950$@bersol.info>
-----Mensaje original-----
De: Alberto
Enviado el: martes, 23 de abril de 2024 21:44
Para: netfilter@vger.kernel.org
Asunto: NFT: Drop to Docker bridge
Hi,
I'm configuring my NFTABLES policy with the following scenario:
- Eth0: Wan Interface
- Br0: Lan Interface (bridge with several ports).
- Docker0: Default Docker bridge (unused).
- br-9028b4c107a5: Docker bridge interface between operative containers.
IPTABLES Policy Docker is disabled ({ "iptables": false } in
/etc/Docker/Daemon.json), and I define global policy.
I want to define a Policy with Access to WAN (eth0) for LAN (Br0) and Docker
containers (Br-9028b4c107a5) interfaces, but without Access from WAN, and
total Access between LAN (Br0) and Docker Containers (Br-9028b4c107a5).
My Policy:
table ip alb-nat {
chain PREROUTING {
type nat hook prerouting priority 30; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 30; policy accept;
oifname "eth0" ip saddr 192.168.1.0/24 masquerade
oifname "eth0" ip saddr 172.22.0.0/24 masquerade
}
}
table inet alb-fw {
chain BASE_CHECKS {
ct state vmap { invalid : drop, established : accept,
related : accept, new : accept }
}
chain INPUT {
type filter hook input priority filter + 10; policy drop;
jump BASE_CHECKS
iifname "lo" accept
iifname "br0" ip saddr 192.168.1.0/24 accept
log prefix "[NFTABLES] Denied: " flags all
}
chain FORWARD {
type filter hook forward priority filter + 10; policy drop;
jump BASE_CHECKS
iifname "br0" oifname "br-9028b4c107a5" ip saddr
192.168.1.0/24 accept
iifname "br-9028b4c107a5" oifname "br0" ip saddr
172.22.0.0/24 accept
}
chain OUTPUT {
type filter hook output priority filter + 10
jump BASE_CHECKS
}
}
But always can Access to containers from WAN.
I don't know why, because FORWARD Chain is DROP.
Can somebody give me a hint to solve the problem?
I answer to myself (if anybody is interested)...
Problem was BASE_CHECKS chain definition:
Somewhere I saw three states in stablished connections phase (new, related
and established), but "new" state was the problem.
I remove it, and outside Access to containers is gone.
Regards,
prev parent reply other threads:[~2024-04-25 14:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-23 19:43 NFT: Drop to Docker bridge Alberto
2024-04-25 14:14 ` Alberto [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='016201da971a$db52ee00$91f8ca00$@bersol.info' \
--to=alberto@bersol.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).