From: PierluigiFrullani <pierluigi.frullani@frumar.it>
To: netfilter@vger.kernel.org, George Shuklin <george.shuklin@gmail.com>
Subject: Re: coexistence between nftables and iptables ?
Date: Thu, 06 Nov 2025 14:08:22 +0100 [thread overview]
Message-ID: <30930903.VsfAaAtOVx@topolinux> (raw)
In-Reply-To: <203843c7-371e-4e5d-9624-c3e00db722c0@gmail.com>
On Thursday, 6 November 2025 13:13:52 CET George Shuklin wrote:
> There is DOCKER-USER chain for those things.
Not really:
Or at least not really for my need:
# iptables -L -v -n | grep ^Cha | grep DO
Chain DOCKER (3 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
Chain DOCKER-USER (1 references)
~# iptables -t nat -L -v -n | grep ^Cha | grep DO
Chain DOCKER (2 references)
I do not need to play with DOCKER-USER chain. Rules created by daemon for me are fine.
I do need to modify all other rules ( INPUT-FORWARD-OUTPUT PRE and POSTROUTING ) for all other needs __except__ dockers, but I do this, usually by flushing all availables chains ( at least to be sure that at boot everything works )
In my firewall start script I have:
/usr/sbin/iptables -w -F
/usr/sbin/iptables -w -t nat -F
/usr/sbin/iptables -w -t raw -F
/usr/sbin/iptables -w -X
Obviously the -F and the -X will "kill" every rule and chain, thus also DOCKERs one ( and those that call the jump to DOCKERs )
>
> Don't try to use 'iptables for docker, nftables for filtering, it will
> cause a lot of bugs and issues.
That's my suspect :)
> See ready-made template which allow to add firewall rules into nftables
> to filter ports for both local (non-docker) and docker-hosted applications.
>
> https://github.com/lidofinance/ansible-collection-server/blob/master/roles/docker_iptables/templates/iptables.rules.j2
This link leads to an 404 page :(
> (If you use Ansible, you can grab ready-made collection from Galaxy
> https://galaxy.ansible.com/ui/repo/published/lidofinance/server/docs/)
>
Thanks
Pigi
prev parent reply other threads:[~2025-11-06 13:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-06 9:44 coexistence between nftables and iptables ? PierluigiFrullani
2025-11-06 12:13 ` George Shuklin
2025-11-06 13:08 ` PierluigiFrullani [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=30930903.VsfAaAtOVx@topolinux \
--to=pierluigi.frullani@frumar.it \
--cc=george.shuklin@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).