search

pcollinson / nftfw

nftfw - nftables firewall builder for Debian
MIT License
36 stars 4 forks source link

Problem with docker container and nftfw #11

Open T0unet opened 1 month ago

T0unet commented 1 month ago

I've been using this tool for quite some time now, but I'm having a problem trying to switch over and test docker on my box, which is now compatible with nft.

If I reset the ruleset and start the docker service, I end up with this type of template.

table ip nat {
        chain DOCKER {
                iifname "docker0" counter packets 0 bytes 0 return
                iifname "br-591ca8bdf81a" counter packets 0 bytes 0 return
                iifname != "br-591ca8bdf81a" meta l4proto tcp tcp dport 1080 counter packets 0 bytes 0 dnat to 172.18.0.2:1080
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
                oifname != "br-591ca8bdf81a" ip saddr 172.18.0.0/16 counter packets 14 bytes 1215 masquerade
                meta l4proto tcp ip saddr 172.18.0.2 ip daddr 172.18.0.2 tcp dport 1080 counter packets 0 bytes 0 masquerade
        }

        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                fib daddr type local counter packets 57 bytes 2744 jump DOCKER
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
        }
}
table ip filter {
        chain DOCKER {
                iifname != "br-591ca8bdf81a" oifname "br-591ca8bdf81a" meta l4proto tcp ip daddr 172.18.0.2 tcp dport 1080 counter packets 0 bytes 0 accept
        }

        chain DOCKER-ISOLATION-STAGE-1 {
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                iifname "br-591ca8bdf81a" oifname != "br-591ca8bdf81a" counter packets 204 bytes 32325 jump DOCKER-ISOLATION-STAGE-2
                counter packets 342 bytes 101408 return
        }

        chain DOCKER-ISOLATION-STAGE-2 {
                oifname "docker0" counter packets 0 bytes 0 drop
                oifname "br-591ca8bdf81a" counter packets 0 bytes 0 drop
                counter packets 204 bytes 32325 return
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 342 bytes 101408 jump DOCKER-USER
                counter packets 342 bytes 101408 jump DOCKER-ISOLATION-STAGE-1
                oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
                iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
                oifname "br-591ca8bdf81a" ct state related,established counter packets 138 bytes 69083 accept
                oifname "br-591ca8bdf81a" counter packets 0 bytes 0 jump DOCKER
                iifname "br-591ca8bdf81a" oifname != "br-591ca8bdf81a" counter packets 204 bytes 32325 accept
                iifname "br-591ca8bdf81a" oifname "br-591ca8bdf81a" counter packets 0 bytes 0 accept
        }

        chain DOCKER-USER {
                counter packets 342 bytes 101408 return
        }
}
table ip6 nat {
        chain DOCKER {
        }
}
table ip6 filter {
        chain DOCKER {
        }

        chain DOCKER-ISOLATION-STAGE-1 {
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                iifname "br-591ca8bdf81a" oifname != "br-591ca8bdf81a" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                counter packets 0 bytes 0 return
        }

        chain DOCKER-ISOLATION-STAGE-2 {
                oifname "docker0" counter packets 0 bytes 0 drop
                oifname "br-591ca8bdf81a" counter packets 0 bytes 0 drop
                counter packets 0 bytes 0 return
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
                counter packets 0 bytes 0 jump DOCKER-USER
        }

        chain DOCKER-USER {
                counter packets 0 bytes 0 return
        }
}

So i had try to dump the base config after my container is started nft -s list ruleset > /var/lib/nftfw/install.d/docker.nft

and edit the file in vi /etc/nftfw/nftfw_init.nft

#docker rules
include "docker.nft"

and after reload the full rules. nftfw -f -v load

It works only if the container is not restarted.

It i restart the container, no access to outside from the container level=error msg="[resolver] failed to query external DNS server" client-addr="udp:172.18.0.2:49891" dns-server="udp ....

I don't think I know nft well enough to understand the problem. Can I get some help?

pcollinson commented 1 month ago

I don't know anything about Docker I am afraid. Is Docker adding these rules to nftables when it starts? br-591ca8bdf81a looks like an interface name that Docker generates, so perhaps when it restarts it's expecting to use a new name and add new rules?

My initial thought was that nftfw was zapping your file in the install.d directory. I don't think this is the case. However, to be safe I would put your file in /etc/nftfw and use an absolute path in the include:

include "/etc/nftfw/docker.nft"

pcollinson commented 1 month ago

This link seems a simpler starting point. It uses IP addresses to select Docker traffic and not interfaces - and talks a bit about setting up Docker. https://blog.ghostinashell.com/linux/nftables/2020/03/07/nftables.html

There may be other related content out there that can assist you.