I have now read the thread and tested something myself. Docker brings its own iptables rules and applies them after installation or when the docker service is (re)started/loaded:
service docker restart
Without these rulesets the installation of Discourse will not work. Means: when installing, rebuilding or restarting the container, these rules must be present. Otherwise the error message appears:
Error response from daemon: driver failed programming external connectivity on endpoint app (e4d4d3cc812a11862ee6aaa6ab453e61b95da1e6d90f9a76a71959148d228476): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 443 -j DNAT --to-destination 172.17.0.2:443 ! -i docker0: iptables: No chain/target/match by that name.
(exit status 1))
However, once the Discourse installation is complete or the container is restarted after an update, the Docker rules are apparently no longer needed. Then the following nftables rules can be loaded:
#!/usr/sbin/nft -f
####################
# Purge/Flush #
####################
flush ruleset
####################
# Incoming Traffic #
####################
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow loopback interface
iifname lo accept
# Rate limit ICMPv4|ICMPv6 traffic
ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } limit rate over 5/second drop
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, parameter-problem, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } limit rate over 5/second drop
# Allow packets to established/related connections
ct state established,related accept
# Drop invalid connections
ct state invalid drop
# Allow ICMPv4: Ping requests | Error messages | Router selection messages
ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
# Allow ICMPv6 traffic (https://tools.ietf.org/html/rfc4890#page-18)
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, parameter-problem, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
# Allow SSH access on port 7777 [rate limit]
tcp dport 7777 ct state new limit rate 3/minute accept
# Allow HTTP / HTTPS traffic
tcp dport { http, https } accept
# Reject other packets
ip protocol tcp reject with tcp reset
ip6 nexthdr tcp reject with tcp reset
}
####################
# Forward Traffic #
####################
chain forward {
type filter hook forward priority 0; policy drop;
}
####################
# Outgoing Traffic #
####################
chain output {
type filter hook output priority 0; policy accept;
# Allow loopback interface
oifname lo accept
}
}
This now brings me to another question: what to do?