RE: Drop to Docker bridge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----Mensaje original-----
De: Alberto 
Enviado el: martes, 23 de abril de 2024 21:44
Para: netfilter@xxxxxxxxxxxxxxx
Asunto: NFT: Drop to Docker bridge

Hi,
I'm configuring my NFTABLES policy with the following scenario:

- Eth0: Wan Interface
- Br0: Lan Interface (bridge with several ports).
- Docker0: Default Docker bridge (unused).
- br-9028b4c107a5: Docker bridge interface between operative containers.

IPTABLES Policy Docker is disabled ({ "iptables": false } in
/etc/Docker/Daemon.json), and I define global policy.

I want to define a Policy with Access to WAN (eth0) for LAN (Br0) and Docker
containers (Br-9028b4c107a5) interfaces, but without Access from WAN, and
total Access between LAN (Br0) and Docker Containers (Br-9028b4c107a5).

My Policy:

table ip alb-nat {
        chain PREROUTING {
                type nat hook prerouting priority 30; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority 30; policy accept;
                oifname "eth0" ip saddr 192.168.1.0/24 masquerade
                oifname "eth0" ip saddr 172.22.0.0/24 masquerade
        }
}
table inet alb-fw {
        chain BASE_CHECKS {
                ct state vmap { invalid : drop, established : accept,
related : accept, new : accept }
        }
        chain INPUT {
                type filter hook input priority filter + 10; policy drop;
                jump BASE_CHECKS
                iifname "lo" accept
                iifname "br0" ip saddr 192.168.1.0/24 accept
                log prefix "[NFTABLES] Denied: " flags all
        }
        chain FORWARD {
                type filter hook forward priority filter + 10; policy drop;
                jump BASE_CHECKS
                iifname "br0" oifname "br-9028b4c107a5" ip saddr
192.168.1.0/24 accept
                iifname "br-9028b4c107a5" oifname "br0" ip saddr
172.22.0.0/24 accept
        }
        chain OUTPUT {
                type filter hook output priority filter + 10
                jump BASE_CHECKS
        }
}

But always can Access to containers from WAN.
I don't know why, because FORWARD Chain is DROP.

Can somebody give me a hint to solve the problem?

I answer to myself (if anybody is interested)...

Problem was BASE_CHECKS chain definition:

Somewhere I saw three states in stablished connections phase (new, related
and established), but "new" state was the problem.

I remove it, and outside Access to containers is gone.

Regards,
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux