DEVHIDE
Login Or Sign up

nftables rules for docker

6.6k Views Asked by At

System : RHEL 8.4 Docker Version : 20.10

RHEL 8 has moved from iptables to nftables and Docker inbuild uses iptables to set firewall rules on the machine.

It seems to have break the communication from docker containers to host services, and also to other hosted docker containers on the same network.

I have to communicate to registry hosted in container on port 5000.

And also I am hosting impala services in container and opened exposed following ports

21000

21050

25000

25010

25020

Also when i logged in to container it cannot make contact to internet.

Does anyone know what rules can be set to make proper communications to docker. Also the service hosted in container must be able to contact all the related host services.

Things tried until now :

Made changes in /etc/docker/daemon.json

{
"iptables" : false
}

And based on this link tried to set up rules , but no luck

FYI : I have no idea for setting up any type of rules in linux firewall (not with iptables nor with nftables)

docker iptables firewalld nftables
Original Q&A
2

There are 2 best solutions below

5
On BEST ANSWER

From Docker 20.10, Docker provides support for firewalld, and no need to add any rules manually.

It resolved my issues related to iptables and efatbles

0
On

In my case, I had a chain hooked to forward that dropped all traffic, which caused some of the docker networking to break:

chain forward {
    type filter hook forward priority 0; policy drop;
}

Host-container and container-host traffic will still work, because it does not go through the forward chain.

However, container-container and container-world traffic does go through the forward chain and is with above rule being dropped.

Assuming no special docker networking setup (that is, all containers on the default network), this can be fixed with the following addition to the above chain:

chain forward {
    type filter hook forward priority 0; policy drop;

    # Allow outgoing traffic, initiated by docker containers
    # This includes container-container and container-world traffic 
    # (assuming interface name is docker0)
    iifname "docker0" accept

    # Allow incoming traffic from established connections
    # This includes container-world traffic
    ct state vmap { established: accept, related: accept, invalid: drop }
}

Related Questions in DOCKER

Related Questions in IPTABLES

Related Questions in FIREWALLD

Related Questions in NFTABLES

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.