@OrkoGrayskull さん、ありがとうございます!
/etc/docker/daemon.json で firewall-backend を nftables に設定できるようになった今、これに関して何か進展はありますか?そして、たぶん Debian Trixie または Bookworm をお使いなのでしょうか。私は現在これを試しているところです…
/etc/sysctl.conf で net.ipv4.ip_forward=1 を設定する必要があることに気づきました。
nftables を使用する Docker のドキュメントには次のように記載されています。
Docker のテーブルを直接変更しないでください。変更は失われる可能性が高く、Docker は自分のテーブルの完全な所有権を期待しています。
そのため、Docker のルールには触れたくないと思っています…
これは現在私が持っているもので、Ansible 経由で追加したいくつかのルールです(このサーバーは Postfix が SMTP を Discourse に転送しているため、ポート 25 が必要です)。
table inet ansible_firewall {
chain inbound_ipv4 {
icmp type echo-request limit rate 5/second accept comment "Accept IPv4 rate limited ICMP pings"
}
chain inbound_ipv6 {
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Accept IPv6 neighbour discovery"
icmpv6 type echo-request limit rate 5/second accept comment "Accept IPv6 rate limited ICMP pings"
}
chain inbound {
type filter hook input priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept } comment "Allow traffic from established and related packets, drop invalid"
iifname "lo" accept comment "Allow loopback traffic"
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 } comment "Jump to chain according to layer 3 protocol using a verdict map"
tcp dport 22 accept comment "Allow SSH on port TCP/22"
tcp dport { 80, 443 } accept comment "Allow HTTP on port TCP/80 and HTTPS on port TCP/443"
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "Allow outgoing from loopback interface"
}
}
そして、Docker/Discourse からのルールです(このサーバーには IPv6 アドレスがありません)。
table ip docker-bridges {
map filter-forward-in-jumps {
type ifname : verdict
elements = { "docker0" : jump filter-forward-in__docker0 }
}
map filter-forward-out-jumps {
type ifname : verdict
elements = { "docker0" : jump filter-forward-out__docker0 }
}
map nat-postrouting-in-jumps {
type ifname : verdict
elements = { "docker0" : jump nat-postrouting-in__docker0 }
}
map nat-postrouting-out-jumps {
type ifname : verdict
elements = { "docker0" : jump nat-postrouting-out__docker0 }
}
chain filter-FORWARD {
type filter hook forward priority filter; policy accept;
oifname vmap @filter-forward-in-jumps
iifname vmap @filter-forward-out-jumps
}
chain nat-OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter jump nat-prerouting-and-output
}
chain nat-POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
iifname vmap @nat-postrouting-out-jumps
oifname vmap @nat-postrouting-in-jumps
}
chain nat-PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter jump nat-prerouting-and-output
}
chain nat-prerouting-and-output {
iifname != "docker0" tcp dport 80 counter dnat to 172.17.0.2:80 comment "DNAT"
iifname != "docker0" tcp dport 443 counter dnat to 172.17.0.2:443 comment "DNAT"
}
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
ip daddr 172.17.0.2 iifname != "docker0" counter drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__docker0 {
ct state established,related counter accept
iifname "docker0" counter accept comment "ICC"
ip daddr 172.17.0.2 tcp dport 80 counter accept
ip daddr 172.17.0.2 tcp dport 443 counter accept
counter drop comment "UNPUBLISHED PORT DROP"
}
chain filter-forward-out__docker0 {
ct state established,related counter accept
counter accept comment "OUTGOING"
}
chain nat-postrouting-in__docker0 {
}
chain nat-postrouting-out__docker0 {
oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade comment "MASQUERADE"
}
}
table ip6 docker-bridges {
map filter-forward-in-jumps {
type ifname : verdict
}
map filter-forward-out-jumps {
type ifname : verdict
}
map nat-postrouting-in-jumps {
type ifname : verdict
}
map nat-postrouting-out-jumps {
type ifname : verdict
}
chain filter-FORWARD {
type filter hook forward priority filter; policy accept;
oifname vmap @filter-forward-in-jumps
iifname vmap @filter-forward-out-jumps
}
chain nat-OUTPUT {
type nat hook output priority -100; policy accept;
ip6 daddr != ::1 fib daddr type local counter jump nat-prerouting-and-output
}
chain nat-POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
iifname vmap @nat-postrouting-out-jumps
oifname vmap @nat-postrouting-in-jumps
}
chain nat-PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter jump nat-prerouting-and-output
}
chain nat-prerouting-and-output {
}
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
}
ポート 80 と 443 以外のすべては正常に動作しているようです… 