Re: coexistence between nftables and iptables ?

[George Shuklin <george.shuklin@gmail.com>]

There is DOCKER-USER chain for those things.

Don't try to use 'iptables for docker, nftables for filtering, it will 
cause a lot of bugs and issues.

See ready-made template which allow to add firewall rules into nftables 
to filter ports for both local (non-docker) and docker-hosted applications.

https://github.com/lidofinance/ansible-collection-server/blob/master/roles/docker_iptables/templates/iptables.rules.j2

(If you use Ansible, you can grab ready-made collection from Galaxy 
https://galaxy.ansible.com/ui/repo/published/lidofinance/server/docs/)


On 11/6/25 11:44 AM, PierluigiFrullani wrote:
> Hello all,
>   first post here so please be indulgent.
> I was wandering if I those two "technologies" can coexist.
> My problem is: I have a small machine that does firewalling for my home net, and on this machine there is also a docker environment.
> Docker use iptables for his internal stuff and for forwarding traffic between host ( and his net ) and dockers themselves. It does this by creating a quite complex number of rules and tables, which btw are handled by docker daemon  and scripts.
>
> So far so good you might say. Well... no.
> being that also my iptables rules are quite comples I used, when in need of modify them in some way, to flush all iptables and start all over again.
> This will flush also all other docker rules so that the docker environment does not work anymore unless I stop and restart the daemon ( which obviously is not always acceptable ).
>
> If I can use nftables for my firewalling and routing needs, and leave iptables only for docker, then I can flush my nftables whenever I want, without impacting docker environment.
>
> Is that true ?
> Is that possible ?
>
>
> Thanks in advance and sorry for my poor english.
>
> Pierluigi ( from Italy )
>
>
>