Hello,
I've found this: and that: Topic. But they did not help.
My main issue is: Docker Container with a bridge cannot connect to the Internet.
docker run --rm alpine ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
That should work right? So i assume my Firewall is somehow wrongly configured.
uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[7]=rule
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='docker_zone'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='docker' 'docker_bridge'
firewall.@zone[2].masq='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='docker_zone'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='docker_zone'
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='docker_zone'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='wan'
firewall.@forwarding[4].dest='docker_zone'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Zoraxy HTTP'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.@redirect[0].dest_port='80'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='Zoraxy HTTPS'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='443'
firewall.@redirect[1].dest_ip='192.168.1.1'
firewall.@redirect[1].dest_port='443'
firewall.@zone[3]=zone
firewall.@zone[3].name='netbird'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='ACCEPT'
firewall.@zone[3].network='netbird' 'wgeasy'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].src='netbird'
firewall.@forwarding[5].dest='lan'
firewall.@forwarding[6]=forwarding
firewall.@forwarding[6].src='netbird'
firewall.@forwarding[6].dest='wan'
firewall.@forwarding[7]=forwarding
firewall.@forwarding[7].src='lan'
firewall.@forwarding[7].dest='netbird'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='wgeasy'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='51826'
firewall.@redirect[2].dest_ip='192.168.1.1'
firewall.@redirect[2].dest_port='51826'
firewall.docker=zone
firewall.docker.input='ACCEPT'
firewall.docker.output='ACCEPT'
firewall.docker.forward='ACCEPT'
firewall.docker.name='docker'
firewall.docker.network='docker'
firewall.docker.masq='1'
firewall.docker.mtu_fix='1'
firewall.@redirect[3]=redirect
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].name='torrent'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].src_dport='50413'
firewall.@redirect[3].dest_ip='192.168.1.2'
firewall.@redirect[3].dest_port='50413'
firewall.@redirect[4]=redirect
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].name='ftp'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].src_dport='21'
firewall.@redirect[4].dest_ip='192.168.1.2'
firewall.@redirect[4].dest_port='21'
firewall.@zone[5]=zone
firewall.@zone[5].name='sleep'
firewall.@zone[5].input='DROP'
firewall.@zone[5].output='DROP'
firewall.@zone[5].forward='DROP'
firewall.@zone[5].device='192.168.1.92'
firewall.@zone[5].network='docker' 'docker_bridge' 'lan' 'netbird' 'wgeasy'
fw3 print
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
Automatically including '/usr/share/nftables.d/ruleset-post/20-https-dns-proxy-notrack.nft'
table inet fw4
flush table inet fw4
delete flowtable inet fw4 ft
table inet fw4 {
Flowtable
flowtable ft {
hook ingress priority 0;
devices = { "docker0", "lan1", "lan2", "lan3", "lan4", "phy0-ap0", "phy1-ap0", "sfp2", "wan", "wg0", "wt0" };
counter;
flags offload;
}
#
# Defines
#
define lan_devices = { "br-lan" }
define lan_subnets = { 192.168.1.0/24, 2001:4060:c00b:dd30::/60, fddf:3940:83b2::/60 }
define wan_devices = { "br-wan" }
define wan_subnets = { 31.11.20.0/22, 2001:4060:c002:9:fd49:1d28:6cbd:63c0 }
define docker_zone_devices = { "docker0", "br-60176130fd86" }
define docker_zone_subnets = { }
define netbird_devices = { "wt0", "wg0" }
define netbird_subnets = { }
define docker_devices = { "docker0" }
define docker_subnets = { }
define sleep_devices = { "docker0", "br-60176130fd86", "br-lan", "wt0", "wg0", 192.168.1.92 }
define sleep_subnets = { 192.168.1.0/24, 2001:4060:c00b:dd30::/60, fddf:3940:83b2::/60 }
#
# User includes
#
include "/etc/nftables.d/*.nft"
#
# Filter rules
#
chain input {
type filter hook input priority filter; policy accept;
iif "lo" accept comment "!fw4: Accept traffic from loopback"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "br-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname { "docker0", "br-60176130fd86" } jump input_docker_zone comment "!fw4: Handle docker_zone IPv4/IPv6 input traffic"
iifname { "wt0", "wg0" } jump input_netbird comment "!fw4: Handle netbird IPv4/IPv6 input traffic"
iifname "docker0" jump input_docker comment "!fw4: Handle docker IPv4/IPv6 input traffic"
iifname { "docker0", "br-60176130fd86", "br-lan", "wt0", "wg0", 192.168.1.92 } jump input_sleep comment "!fw4: Handle sleep IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
meta l4proto { tcp, udp } flow offload @ft;
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "br-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname { "docker0", "br-60176130fd86" } jump forward_docker_zone comment "!fw4: Handle docker_zone IPv4/IPv6 forward traffic"
iifname { "wt0", "wg0" } jump forward_netbird comment "!fw4: Handle netbird IPv4/IPv6 forward traffic"
iifname "docker0" jump forward_docker comment "!fw4: Handle docker IPv4/IPv6 forward traffic"
iifname { "docker0", "br-60176130fd86", "br-lan", "wt0", "wg0", 192.168.1.92 } jump forward_sleep comment "!fw4: Handle sleep IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oif "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "br-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname { "docker0", "br-60176130fd86" } jump output_docker_zone comment "!fw4: Handle docker_zone IPv4/IPv6 output traffic"
oifname { "wt0", "wg0" } jump output_netbird comment "!fw4: Handle netbird IPv4/IPv6 output traffic"
oifname "docker0" jump output_docker comment "!fw4: Handle docker IPv4/IPv6 output traffic"
oifname { "docker0", "br-60176130fd86", "br-lan", "wt0", "wg0", 192.168.1.92 } jump output_sleep comment "!fw4: Handle sleep IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
iifname { "wt0", "wg0" } jump helper_netbird comment "!fw4: Handle netbird IPv4/IPv6 helper assignment"
iifname { "docker0", "br-60176130fd86", "br-lan", "wt0", "wg0", 192.168.1.92 } jump helper_sleep comment "!fw4: Handle sleep IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
ct status dnat accept comment "!fw4: Accept port redirections"
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
tcp dport 853 counter jump handle_reject comment "!fw4: ubus:https-dns-proxy[instance1] rule 1"
udp dport 853 counter jump handle_reject comment "!fw4: ubus:https-dns-proxy[instance1] rule 1"
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_docker_zone comment "!fw4: Accept lan to docker_zone forwarding"
jump accept_to_netbird comment "!fw4: Accept lan to netbird forwarding"
ct status dnat accept comment "!fw4: Accept port forwards"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter accept comment "!fw4: Allow-DHCP-Renew"
meta nfproto ipv4 icmp type 8 counter accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter accept comment "!fw4: Allow-IGMP"
ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { 130 . 0, 131 . 0, 132 . 0, 143 . 0 } counter accept comment "!fw4: Allow-MLD"
meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3, 133, 134 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1, 135 . 0, 136 . 0 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
ct status dnat accept comment "!fw4: Accept port redirections"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter jump accept_to_lan comment "!fw4: @rule[7]"
udp dport 500 counter jump accept_to_lan comment "!fw4: @rule[8]"
jump accept_to_docker_zone comment "!fw4: Accept wan to docker_zone forwarding"
ct status dnat accept comment "!fw4: Accept port forwards"
jump reject_to_wan
}
chain accept_to_wan {
meta nfproto ipv4 oifname "br-wan" ct state invalid counter drop comment "!fw4: Prevent NAT leakage"
oifname "br-wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "br-wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "br-wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain input_docker_zone {
jump accept_from_docker_zone
}
chain output_docker_zone {
jump accept_to_docker_zone
}
chain forward_docker_zone {
jump accept_to_lan comment "!fw4: Accept docker_zone to lan forwarding"
jump accept_to_wan comment "!fw4: Accept docker_zone to wan forwarding"
jump reject_to_docker_zone
}
chain accept_from_docker_zone {
iifname { "docker0", "br-60176130fd86" } counter accept comment "!fw4: accept docker_zone IPv4/IPv6 traffic"
}
chain accept_to_docker_zone {
meta nfproto ipv4 oifname { "docker0", "br-60176130fd86" } ct state invalid counter drop comment "!fw4: Prevent NAT leakage"
oifname { "docker0", "br-60176130fd86" } counter accept comment "!fw4: accept docker_zone IPv4/IPv6 traffic"
}
chain reject_to_docker_zone {
oifname { "docker0", "br-60176130fd86" } counter jump handle_reject comment "!fw4: reject docker_zone IPv4/IPv6 traffic"
}
chain input_netbird {
jump accept_from_netbird
}
chain output_netbird {
jump accept_to_netbird
}
chain forward_netbird {
jump accept_to_lan comment "!fw4: Accept netbird to lan forwarding"
jump accept_to_wan comment "!fw4: Accept netbird to wan forwarding"
jump accept_to_netbird
}
chain helper_netbird {
}
chain accept_from_netbird {
iifname { "wt0", "wg0" } counter accept comment "!fw4: accept netbird IPv4/IPv6 traffic"
}
chain accept_to_netbird {
oifname { "wt0", "wg0" } counter accept comment "!fw4: accept netbird IPv4/IPv6 traffic"
}
chain input_docker {
jump accept_from_docker
}
chain output_docker {
jump accept_to_docker
}
chain forward_docker {
jump accept_to_docker
}
chain accept_from_docker {
iifname "docker0" counter accept comment "!fw4: accept docker IPv4/IPv6 traffic"
}
chain accept_to_docker {
meta nfproto ipv4 oifname "docker0" ct state invalid counter drop comment "!fw4: Prevent NAT leakage"
oifname "docker0" counter accept comment "!fw4: accept docker IPv4/IPv6 traffic"
}
chain input_sleep {
jump drop_from_sleep
}
chain output_sleep {
jump drop_to_sleep
}
chain forward_sleep {
jump drop_to_sleep
}
chain helper_sleep {
}
chain drop_from_sleep {
iifname { "docker0", "br-60176130fd86", "br-lan", "wt0", "wg0", 192.168.1.92 } counter drop comment "!fw4: drop sleep IPv4/IPv6 traffic"
}
chain drop_to_sleep {
oifname { "docker0", "br-60176130fd86", "br-lan", "wt0", "wg0", 192.168.1.92 } counter drop comment "!fw4: drop sleep IPv4/IPv6 traffic"
}
#
# NAT rules
#
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
iifname "br-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
oifname "br-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname { "docker0", "br-60176130fd86" } jump srcnat_docker_zone comment "!fw4: Handle docker_zone IPv4/IPv6 srcnat traffic"
oifname "docker0" jump srcnat_docker comment "!fw4: Handle docker IPv4/IPv6 srcnat traffic"
}
chain dstnat_lan {
tcp dport 53 counter redirect to 53 comment "!fw4: ubus:https-dns-proxy[instance1] redirect 0"
udp dport 53 counter redirect to 53 comment "!fw4: ubus:https-dns-proxy[instance1] redirect 0"
ip saddr 192.168.1.0/24 ip daddr 31.11.21.211 tcp dport 80 dnat 192.168.1.1:80 comment "!fw4: Zoraxy HTTP (reflection)"
ip saddr 192.168.1.0/24 ip daddr 31.11.21.211 udp dport 80 dnat 192.168.1.1:80 comment "!fw4: Zoraxy HTTP (reflection)"
ip saddr 192.168.1.0/24 ip daddr 31.11.21.211 tcp dport 443 dnat 192.168.1.1:443 comment "!fw4: Zoraxy HTTPS (reflection)"
ip saddr 192.168.1.0/24 ip daddr 31.11.21.211 udp dport 443 dnat 192.168.1.1:443 comment "!fw4: Zoraxy HTTPS (reflection)"
ip saddr 192.168.1.0/24 ip daddr 31.11.21.211 tcp dport 51826 dnat 192.168.1.1:51826 comment "!fw4: wgeasy (reflection)"
ip saddr 192.168.1.0/24 ip daddr 31.11.21.211 udp dport 51826 dnat 192.168.1.1:51826 comment "!fw4: wgeasy (reflection)"
ip saddr 192.168.1.0/24 ip daddr 31.11.21.211 tcp dport 50413 dnat 192.168.1.2:50413 comment "!fw4: torrent (reflection)"
ip saddr 192.168.1.0/24 ip daddr 31.11.21.211 udp dport 50413 dnat 192.168.1.2:50413 comment "!fw4: torrent (reflection)"
ip saddr 192.168.1.0/24 ip daddr 31.11.21.211 tcp dport 21 dnat 192.168.1.2:21 comment "!fw4: ftp (reflection)"
ip saddr 192.168.1.0/24 ip daddr 31.11.21.211 udp dport 21 dnat 192.168.1.2:21 comment "!fw4: ftp (reflection)"
}
chain srcnat_lan {
ip saddr 192.168.1.0/24 ip daddr 192.168.1.1 tcp dport 80 snat 192.168.1.1 comment "!fw4: Zoraxy HTTP (reflection)"
ip saddr 192.168.1.0/24 ip daddr 192.168.1.1 udp dport 80 snat 192.168.1.1 comment "!fw4: Zoraxy HTTP (reflection)"
ip saddr 192.168.1.0/24 ip daddr 192.168.1.1 tcp dport 443 snat 192.168.1.1 comment "!fw4: Zoraxy HTTPS (reflection)"
ip saddr 192.168.1.0/24 ip daddr 192.168.1.1 udp dport 443 snat 192.168.1.1 comment "!fw4: Zoraxy HTTPS (reflection)"
ip saddr 192.168.1.0/24 ip daddr 192.168.1.1 tcp dport 51826 snat 192.168.1.1 comment "!fw4: wgeasy (reflection)"
ip saddr 192.168.1.0/24 ip daddr 192.168.1.1 udp dport 51826 snat 192.168.1.1 comment "!fw4: wgeasy (reflection)"
ip saddr 192.168.1.0/24 ip daddr 192.168.1.2 tcp dport 50413 snat 192.168.1.1 comment "!fw4: torrent (reflection)"
ip saddr 192.168.1.0/24 ip daddr 192.168.1.2 udp dport 50413 snat 192.168.1.1 comment "!fw4: torrent (reflection)"
ip saddr 192.168.1.0/24 ip daddr 192.168.1.2 tcp dport 21 snat 192.168.1.1 comment "!fw4: ftp (reflection)"
ip saddr 192.168.1.0/24 ip daddr 192.168.1.2 udp dport 21 snat 192.168.1.1 comment "!fw4: ftp (reflection)"
}
chain dstnat_wan {
meta nfproto ipv4 tcp dport 80 counter dnat 192.168.1.1:80 comment "!fw4: Zoraxy HTTP"
meta nfproto ipv4 udp dport 80 counter dnat 192.168.1.1:80 comment "!fw4: Zoraxy HTTP"
meta nfproto ipv4 tcp dport 443 counter dnat 192.168.1.1:443 comment "!fw4: Zoraxy HTTPS"
meta nfproto ipv4 udp dport 443 counter dnat 192.168.1.1:443 comment "!fw4: Zoraxy HTTPS"
meta nfproto ipv4 tcp dport 51826 counter dnat 192.168.1.1:51826 comment "!fw4: wgeasy"
meta nfproto ipv4 udp dport 51826 counter dnat 192.168.1.1:51826 comment "!fw4: wgeasy"
meta nfproto ipv4 tcp dport 50413 counter dnat 192.168.1.2:50413 comment "!fw4: torrent"
meta nfproto ipv4 udp dport 50413 counter dnat 192.168.1.2:50413 comment "!fw4: torrent"
meta nfproto ipv4 tcp dport 21 counter dnat 192.168.1.2:21 comment "!fw4: ftp"
meta nfproto ipv4 udp dport 21 counter dnat 192.168.1.2:21 comment "!fw4: ftp"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain srcnat_docker_zone {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 docker_zone traffic"
}
chain srcnat_docker {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 docker traffic"
}
#
# Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
#
# Mangle rules
#
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
oifname "br-wan" tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
oifname "docker0" tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu comment "!fw4: Zone docker IPv4/IPv6 egress MTU fixing"
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "br-wan" tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
iifname "docker0" tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu comment "!fw4: Zone docker IPv4/IPv6 ingress MTU fixing"
}
}
include "/usr/share/nftables.d/ruleset-post/20-https-dns-proxy-notrack.nft"
iptables-save
Generated by iptables-save v1.8.10 (nf_tables) on Sun May 10 16:13:08 2026
*filter
:INPUT ACCEPT [56796971:77985234326]
:FORWARD ACCEPT [60715478:19160213529]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -i wt0 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o wt0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wt0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -i br-wan -o docker0 -m conntrack ! --ctstate RELATED,ESTABLISHED -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -i br-wan -o docker0 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN
COMMIT
Completed on Sun May 10 16:13:08 2026
Generated by iptables-save v1.8.10 (nf_tables) on Sun May 10 16:13:08 2026
*nat
:PREROUTING ACCEPT [4190168:551886886]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2239112:171593065]
:POSTROUTING ACCEPT [2838585:303313066]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
Completed on Sun May 10 16:13:08 2026
Warning: iptables-legacy tables present, use iptables-legacy-save to see them
nft list ruleset
Character limit.... on PAstebin:
https://pastebin.com/kmf86JJx
ubus call system board
{
"kernel": "6.12.74",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Bananapi BPI-R3",
"board_name": "bananapi,bpi-r3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.2",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32802-f505120278",
"target": "mediatek/filogic",
"description": "OpenWrt 25.12.2 r32802-f505120278",
"builddate": "1774469393"
}
}