Hi. First, I want to apologize for writing here, but I really need help and I don't know where I can ask this.
I set up my firewall but I have one problem - connection tracking isn't working with connections from the docker container.
Minimal, Reproducible Example:
nft add table inet PREROUTING
nft 'add chain inet PREROUTING lower_filter { type filter hook prerouting priority -130; policy drop; }'
nft add rule inet PREROUTING lower_filter ct state established,related counter accept
nft add rule inet PREROUTING lower_filter ct state invalid counter drop
nft add rule inet PREROUTING lower_filter counter
Works fine in a local machine, but not in the container:
docker run -it debian:stable /bin/bash
Internet not works:
root@7c791721f0c5:/# apt update
0% [Connecting to deb.debian.org]
This rule doesn't work:
nft add rule inet PREROUTING lower_filter ct state established,related counter accept
It can be fixed, if add "new" state for ct. But this is equal that I disabled my firewall.
Also, I could add my firewall rules to "input" hook, but I want to keep rules in one place and protect both docker and the local machine. So I use prerouting for input traffic and postrouting for output traffic.
Could you help me, please?
Addition info:
Kernel (uname -a): Linux Computer 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
Nft version (nft -v): nftables v0.9.8 (E.D.S.)
Docker version (docker -v): Docker version 20.10.5+dfsg1, build 55c4c88
