How to use connection tracking with Forward?

Asanto

New Member
Joined
Apr 18, 2023
Messages
3
Reaction score
0
Credits
28
Hi everyone. I am setting up my firewall and want to close services, which open in docker too, in one place.
So, my rules look like this:
Code:
nft add table inet PREROUTING
nft 'add chain inet PREROUTING lower_filter { type filter hook prerouting priority -130; policy drop; }'
nft add rule inet PREROUTING lower_filter ct state established,related counter accept
nft add rule inet PREROUTING lower_filter ct state invalid counter drop
nft add rule inet PREROUTING lower_filter counter

It works fine for the local machine. But, when I go to the container:
Code:
docker run -it debian:stable /bin/bash

Internet not works:
Code:
root@7c791721f0c5:/# apt update
0% [Connecting to deb.debian.org]

Seems, this rule doesn't work:
Code:
nft add rule inet PREROUTING lower_filter ct state established,related counter accept

How I could fix this?
 


I haven't tried this is docker or podman, but on ESX and VirtualBox
I had to use a dedicated NIC specifically for that VM.

I've never gotten promiscuous mode to work on a virtual NIC.

 
I haven't tried this is docker or podman, but on ESX and VirtualBox
I had to use a dedicated NIC specifically for that VM.

I've never gotten promiscuous mode to work on a virtual NIC.

With VMware Workstation these rules work fine, however, it doesn't use nat and forward for work.

Docker is not virtualization. And it adds its own rules to the firewall:

table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname != "docker0" meta l4proto tcp tcp dport 8080 counter packets 0 bytes 0 dnat to 172.17.0.2:80
}

chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 8 bytes 480 masquerade
meta l4proto tcp ip saddr 172.17.0.2 ip daddr 172.17.0.2 tcp dport 80 counter packets 0 bytes 0 masquerade
}

chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 77 bytes 6781 jump DOCKER
}

chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
table ip filter {
chain DOCKER {
iifname != "docker0" oifname "docker0" meta l4proto tcp ip daddr 172.17.0.2 tcp dport 80 counter packets 0 bytes 0 accept
}

chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 15328 bytes 861704 jump DOCKER-ISOLATION-STAGE-2
counter packets 42054 bytes 213656201 return
}

chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 15328 bytes 861704 return
}

chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 42054 bytes 213656201 jump DOCKER-USER
counter packets 42054 bytes 213656201 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 26726 bytes 212794497 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 15328 bytes 861704 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}

chain DOCKER-USER {
counter packets 42054 bytes 213656201 return
}
}

But I think the problem within conntrack, which not tracking state for forward. If I add the state "new", all work fine. But this equals that I disable my firewall.
 
Last edited:

Members online


Top