Grazie @OrkoGrayskull!
Ci sono aggiornamenti su questo ora che /etc/docker/daemon.json può avere firewall-backend impostato su nftables e immagino che tu stia ora eseguendo Debian Trixie o Bookworm — sto sperimentando con questo…
Ho scoperto che in /etc/sysctl.conf è necessario impostare net.ipv4.ip_forward=1.
La documentazione di Docker con nftables dice:
Non modificare direttamente le tabelle di Docker poiché le modifiche andranno probabilmente perse, Docker si aspetta di avere la piena proprietà delle sue tabelle.
Quindi spero di non dover toccare le regole di Docker…
Questo è quello che ho attualmente, alcune regole che ho aggiunto tramite Ansible (questo server inoltra le email SMTP a Discourse, motivo per cui la porta 25 è necessaria):
table inet ansible_firewall {
chain inbound_ipv4 {
icmp type echo-request limit rate 5/second accept comment "Accetta ping ICMP con limite di velocità"
}
chain inbound_ipv6 {
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Accetta la discovery dei vicini IPv6"
icmpv6 type echo-request limit rate 5/second accept comment "Accetta ping ICMP IPv6 con limite di velocità"
}
chain inbound {
type filter hook input priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept } comment "Consenti il traffico da pacchetti stabiliti e correlati, scarta quelli non validi"
iifname "lo" accept comment "Consenti il traffico di loopback"
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 } comment "Salta alla catena in base al protocollo di livello 3 usando una verdict map"
tcp dport 22 accept comment "Consenti SSH sulla porta TCP/22"
tcp dport { 80, 443 } accept comment "Consenti HTTP sulla porta TCP/80 e HTTPS sulla porta TCP/443"
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "Consenti l'uscita dall'interfaccia di loopback"
}
}
E le regole da Docker / Discourse (nota che questo server non ha un indirizzo IPv6):
table ip docker-bridges {
map filter-forward-in-jumps {
type ifname : verdict
elements = { "docker0" : jump filter-forward-in__docker0 }
}
map filter-forward-out-jumps {
type ifname : verdict
elements = { "docker0" : jump filter-forward-out__docker0 }
}
map nat-postrouting-in-jumps {
type ifname : verdict
elements = { "docker0" : jump nat-postrouting-in__docker0 }
}
map nat-postrouting-out-jumps {
type ifname : verdict
elements = { "docker0" : jump nat-postrouting-out__docker0 }
}
chain filter-FORWARD {
type filter hook forward priority filter; policy accept;
oifname vmap @filter-forward-in-jumps
iifname vmap @filter-forward-out-jumps
}
chain nat-OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter jump nat-prerouting-and-output
}
chain nat-POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
iifname vmap @nat-postrouting-out-jumps
oifname vmap @nat-postrouting-in-jumps
}
chain nat-PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter jump nat-prerouting-and-output
}
chain nat-prerouting-and-output {
iifname != "docker0" tcp dport 80 counter dnat to 172.17.0.2:80 comment "DNAT"
iifname != "docker0" tcp dport 443 counter dnat to 172.17.0.2:443 comment "DNAT"
}
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
ip daddr 172.17.0.2 iifname != "docker0" counter drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__docker0 {
ct state established,related counter accept
iifname "docker0" counter accept comment "ICC"
ip daddr 172.17.0.2 tcp dport 80 counter accept
ip daddr 172.17.0.2 tcp dport 443 counter accept
counter drop comment "UNPUBLISHED PORT DROP"
}
chain filter-forward-out__docker0 {
ct state established,related counter accept
counter accept comment "OUTGOING"
}
chain nat-postrouting-in__docker0 {
}
chain nat-postrouting-out__docker0 {
oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade comment "MASQUERADE"
}
}
table ip6 docker-bridges {
map filter-forward-in-jumps {
type ifname : verdict
}
map filter-forward-out-jumps {
type ifname : verdict
}
map nat-postrouting-in-jumps {
type ifname : verdict
}
map nat-postrouting-out-jumps {
type ifname : verdict
}
chain filter-FORWARD {
type filter hook forward priority filter; policy accept;
oifname vmap @filter-forward-in-jumps
iifname vmap @filter-forward-out-jumps
}
chain nat-OUTPUT {
type nat hook output priority -100; policy accept;
ip6 daddr != ::1 fib daddr type local counter jump nat-prerouting-and-output
}
chain nat-POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
iifname vmap @nat-postrouting-out-jumps
oifname vmap @nat-postrouting-in-jumps
}
chain nat-PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter jump nat-prerouting-and-output
}
chain nat-prerouting-and-output {
}
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
}
E tutto tranne le porte 80 e 443 sembra funzionare… 