Hi!
My config
ArchLinux 6.4.2 Kernel Rolling Release
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 90:1b:0e:9e:eb:da brd ff:ff:ff:ff:ff:ff
inet 138.201.130.115/24 brd 138.201.130.255 scope global noprefixroute enp0s31f6
valid_lft forever preferred_lft forever
inet6 2a01:4f8:172:2d89::2/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::c0b6:50cf:c2b8:1cd8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
65: docker0@if64: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 7e:eb:8c:2c:7e:69 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::7ceb:8cff:fe2c:7e69/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
docker network ls
NETWORK ID NAME DRIVER SCOPE
fcc09c335d92 bridge bridge local
747a073194a6 host host local
1c47e7d9cd0b none null local
/etc/systemd/system/docker.service.d/netns.conf
[Service]
PrivateNetwork=yes
# cleanup
ExecStartPre=-nsenter -t 1 -n -- ip link delete docker0
# add veth
ExecStartPre=nsenter -t 1 -n -- ip link add docker0 type veth peer name docker0_ns
ExecStartPre=sh -c 'nsenter -t 1 -n -- ip link set docker0_ns netns "$$BASHPID" && true'
ExecStartPre=ip link set docker0_ns name enp0s31f6
# bring host online
ExecStartPre=nsenter -t 1 -n -- ip addr add 10.0.0.1/24 dev docker0
ExecStartPre=nsenter -t 1 -n -- ip link set docker0 up
# bring ns online
ExecStartPre=ip addr add 10.0.0.100/24 dev enp0s31f6
ExecStartPre=ip link set enp0s31f6 up
ExecStartPre=ip route add default via 10.0.0.1 dev enp0s31f6
NetworkManager
[connection]
id=enp0s31f6
uuid=df1f9b7b-cab5-45f9-9bea-4fd67fb1cd60
type=ethernet
autoconnect=true
interface-name=enp0s31f6
timestamp=1689080622
[ethernet]
mac-address=90:1B:0E:9E:EB:DA
[ipv4]
address1=138.201.130.115/24,138.201.130.65
dns=185.12.64.1,185.12.64.2;
method=manual
[ipv6]
addr-gen-mode=default
address1=2a01:4f8:172:2d89::2/64,fe80::1
dns=2a01:4ff:ff00::add:1,2a01:4ff:ff00::add:2;
method=manual
[proxy]
docker info
[root@mail network]# docker info
Client:
Version: 24.0.2
Context: default
Debug Mode: false
Plugins:
compose: Docker Compose (Docker Inc.)
Version: 2.19.1
Path: /usr/lib/docker/cli-plugins/docker-compose
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 24.0.2
Storage Driver: overlay2
Backing Filesystem: btrfs
Supports d_type: true
Using metacopy: true
Native Overlay Diff: false
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 0cae528dd6cb557f7201036e9f43420650207b58.m
runc version:
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.4.2-arch1-1
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 62.58GiB
Name: mail
ID: 95b57243-52ef-4d36-917c-3e86a85b9816
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
nftables
[root@mail network]# nft list ruleset
table inet my_table {
set LANv4 {
type ipv4_addr
flags interval
elements = { 10.0.0.0/8, 138.201.0.0/16,
172.18.0.0/16, 192.168.0.0/24 }
}
set LANv6 {
type ipv6_addr
flags interval
elements = { 2a01:4f8:172::/48,
fd00::/8,
fe80::/10 }
}
chain my_input_lan {
meta l4proto { tcp, udp } th dport 2049 accept comment "Accept NFS"
udp dport 137 accept comment "Accept NetBIOS Name Service (nmbd)"
udp dport 138 accept comment "Accept NetBIOS Datagram Service (nmbd)"
tcp dport 139 accept comment "Accept NetBIOS Session Service (smbd)"
tcp dport 445 accept comment "Accept Microsoft Directory Service (smbd)"
udp sport { 68, 4011 } udp dport { 67, 4011 } accept comment "Accept PXE"
udp dport 69 accept comment "Accept TFTP"
}
chain my_input {
type filter hook input priority filter; policy drop;
iif "lo" accept comment "Accept any localhost traffic"
ct state invalid drop comment "Drop invalid connections"
ct state established,related accept comment "Accept traffic originated from us"
meta l4proto ipv6-icmp accept comment "Accept ICMPv6"
meta l4proto icmp accept comment "Accept ICMP"
ip protocol igmp accept comment "Accept IGMP"
udp dport 5353 ip6 daddr ff02::fb accept comment "Accept mDNS"
udp dport 5353 ip daddr 224.0.0.251 accept comment "Accept mDNS"
ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"
ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"
tcp dport 22 accept comment "Accept SSH on port 22"
tcp dport 631 accept comment "Accept IPP/IPPS on port 631"
tcp dport 53 accept comment "Accept DNS on port 53"
tcp dport 137-139 accept comment "Accept smbd nmbd on port 137-139"
tcp dport 445 accept comment "Accept ?? on port 445"
tcp dport 2049 accept comment "Accept NFS on port 2049"
tcp dport 5050 accept comment "Accept Docker Auth Traffic on port 5050"
tcp dport { 80, 443 } accept comment "Accept HTTP (ports 80, 443)"
udp sport 68 udp dport 67 ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)"
}
chain my_forward {
type filter hook forward priority filter; policy drop;
}
chain my_output {
type filter hook output priority filter; policy accept;
}
}
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 352 bytes 16206 jump DOCKER-USER
counter packets 352 bytes 16206 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state established,related counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 352 bytes 16206 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain DOCKER-USER {
counter packets 352 bytes 16206 return
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 504 bytes 24923 jump DOCKER
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
}
sysctl
cat /etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
cat /etc/sysctl.d/99-hetzner.conf
### Hetzner Online GmbH installimage
# sysctl config
#net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
# ipv6 settings (no autoconfiguration)
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_dad=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_dad=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.accept_ra_defrtr=0
net.ipv6.conf.all.accept_ra_rtr_pref=0
net.ipv6.conf.all.accept_ra_pinfo=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_redirects=0
### Hetzner Online GmbH installimage
127.0.0.1 localhost.localdomain localhost
#138.201.130.115 mail
#::1 ip6-localhost ip6-loopback
#fe00::0 ip6-localnet
#ff00::0 ip6-mcastprefix
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
#f02::3 ip6-allhosts
#2a01:4f8:172:2d89::2 mail
docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: m0rta
Password:
Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Why I got this error?