Docker overwrites nftables firewall

inceptor · April 18, 2022, 11:02am

Hi All, I’m still new with docker,

I’m using rocky linux 8.5, I’ve been having trouble with docker overwriting nftables rules. The INPUT chain would follow docker making it accept all connection.

Alternatively I’ve tried changing the table to inet but it only follow the inet FORWARD chain making containers unable to get internet access.

I have a basic config in /etc/sysconfig/nftables.conf

table ip filter {
        chain INPUT {
		type filter hook input priority 0; policy drop;
		ct state invalid counter drop
		ct state {established,related} counter accept
		iif lo accept
		iif != lo ip daddr 127.0.0.1/8 counter drop
		iif != lo ip6 daddr ::1/128 counter drop
		ip saddr xxx.xxx.xxx.xxx tcp dport 22 accept
	}
	chain FORWARD {
		type filter hook forward priority 0; policy drop;
		counter
	}
	chain OUTPUT {
		type filter hook output priority 0; policy accept;
		counter
	}
}

I would appreciate any help i can get.

jrglindemann · February 26, 2023, 3:55pm

Hello @inceptor ,

I think i have the same problem. Could you solve it or understand it in the meantime?

Thank you.

THIS is my posting.

Topic		Replies	Views
Docker + nftables support General docker	2	8470	October 17, 2023
Docker Firewall settings make NFTables Corrupt? Can you help? General docker	1	3313	February 26, 2023
Docker Bridge Netfilter nftables acces to PostgreSQL General	0	666	March 14, 2021
Debain 12, Firewalld (nftables) and Docker in 2024 General	0	1578	March 6, 2024
Prevent Docker to change FORWARD rule chain and allow changes to DOCKER chain General	0	1258	June 27, 2016

Docker overwrites nftables firewall

Related topics