Hello,
I installed docker CE on my fresh Openwrt (OpenWrt SNAPSHOT, r23303-d69becd307) install and I can now pull and run containers on it. I can access my web containers locally with curl on the IP of my container (172.x.x.x like IP) but when I try from my LAN it does not work.
After running a sample container I can see that iptables has been modifed like that :
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:www
But I still can't acces my web page from my LAN (outside the openwrt host).
Thanks for your help.
trendy
June 12, 2023, 7:38am
2
Does the web server allow connections from networks other than its local net? What errors does it show in the logs?
Yes it allow connection from other networks, here is the command I used to run :
docker run -p 0.0.0.0:80:80 --network internal -d nginxdemos/hello
There is no errors in the container logs, but when I run a curl with it's internal IP it works :
curl http://172.18.0.2
And when I do the same things from my laptop, I have a firewall issue (connection refused)
trendy
June 12, 2023, 7:57am
4
This is not what I meant. With docker run -p pou are exposing the port 80 of the docker container to the openwrt. Which may as well conflict with Luci. And you are not certain that the web server of nginxdemos is allowing connections from outside of localnet.
Ok sorry, concerning the fact that the port 80 may conflit with Luci, I changed the Luci port to another one to be able to expose the port 80 on my container.
root@fwap:~# docker logs admiring_cori -tf
2023-06-12T07:46:27.398279707Z /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
2023-06-12T07:46:27.398462575Z /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
2023-06-12T07:46:27.401092710Z /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
2023-06-12T07:46:27.404408271Z 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
2023-06-12T07:46:27.405170771Z /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
2023-06-12T07:46:27.411354311Z /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
2023-06-12T07:46:27.414286504Z /docker-entrypoint.sh: Configuration complete; ready for start up
2023-06-12T07:46:27.429822851Z 2023/06/12 07:46:27 [notice] 1#1: using the "epoll" event method
2023-06-12T07:46:27.429899309Z 2023/06/12 07:46:27 [notice] 1#1: nginx/1.25.0
2023-06-12T07:46:27.429913553Z 2023/06/12 07:46:27 [notice] 1#1: built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r4)
2023-06-12T07:46:27.429925334Z 2023/06/12 07:46:27 [notice] 1#1: OS: Linux 5.15.114
2023-06-12T07:46:27.429937191Z 2023/06/12 07:46:27 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2023-06-12T07:46:27.430208374Z 2023/06/12 07:46:27 [notice] 1#1: start worker processes
2023-06-12T07:46:27.430562175Z 2023/06/12 07:46:27 [notice] 1#1: start worker process 20
2023-06-12T07:46:27.431005369Z 2023/06/12 07:46:27 [notice] 1#1: start worker process 21
2023-06-12T07:46:27.431543885Z 2023/06/12 07:46:27 [notice] 1#1: start worker process 22
2023-06-12T07:46:27.432843437Z 2023/06/12 07:46:27 [notice] 1#1: start worker process 23
2023-06-12T07:49:39.310628502Z 172.18.0.1 - - [12/Jun/2023:07:49:39 +0000] "GET / HTTP/1.1" 200 7231 "-" "curl/8.1.1" "-"
2023-06-12T07:54:01.532622700Z 172.18.0.1 - - [12/Jun/2023:07:54:01 +0000] "GET / HTTP/1.1" 200 7231 "-" "curl/8.1.1" "-"
Are there other logs like firewall logs that I can check ?
trendy
June 12, 2023, 8:42am
6
Ok Let's have a look what's the status:ubus call system board; uci export network; uci export firewall; netstat -lnp | grep 80 ; docker inspect hello; nft list ruleset
Here are the results :
root@fwap:~# ubus call system board; uci export network; uci export firewall; netstat -lnp | grep 80 ; docker inspect hello; nft list
ruleset
{
"kernel": "5.15.114",
"hostname": "fwap",
"system": "ARMv8 Processor rev 4",
"model": "Bananapi BPI-R3",
"board_name": "bananapi,bpi-r3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r23303-d69becd307",
"target": "mediatek/filogic",
"description": "OpenWrt SNAPSHOT r23303-d69becd307"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd65:ed11:d93a::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'sfp2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth1'
list ports 'wan'
config device
option name 'eth1'
option macaddr '7e:7f:f8:60:98:3b'
config device
option name 'wan'
option macaddr '7e:7f:f8:60:98:3b'
config interface 'wan'
option device 'br-wan'
option proto 'dhcp'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
config interface 'myNetwork'
option device 'myzone'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'myzone'
config device
option type 'bridge'
option name 'br-bfb7103a6c31'
package firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'myzone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option name 'myzone'
list device 'br-bfb7103a6c31'
list network 'myNetwork'
config forwarding
option src 'myzone'
option dest 'wan'
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6012/docker-proxy
tcp 0 0 0.0.0.0:8880 0.0.0.0:* LISTEN 2313/uhttpd
tcp 0 0 fe80::7c7f:f8ff:fe60:983b:53 :::* LISTEN 3868/dnsmasq
tcp 0 0 fe80::20c:43ff:fe26:6000:53 :::* LISTEN 3868/dnsmasq
tcp 0 0 :::8880 :::* LISTEN 2313/uhttpd
tcp 0 0 fe80::800c:43ff:fe26:6000:53 :::* LISTEN 3868/dnsmasq
tcp 0 0 fe80::42:feff:fe47:3d86:53 :::* LISTEN 3868/dnsmasq
tcp 0 0 fe80::42:c3ff:fe84:3045:53 :::* LISTEN 3868/dnsmasq
tcp 0 0 fe80::f4e6:53ff:fe0c:572a:53 :::* LISTEN 3868/dnsmasq
tcp 0 0 fe80::7c7f:f8ff:fe60:983a:53 :::* LISTEN 3868/dnsmasq
tcp 0 0 fe80::7c7f:f8ff:fe60:983a:53 :::* LISTEN 3868/dnsmasq
udp 0 0 fe80::f4e6:53ff:fe0c:572a:53 :::* 3868/dnsmasq
udp 0 0 fe80::42:feff:fe47:3d86:53 :::* 3868/dnsmasq
udp 0 0 fe80::42:c3ff:fe84:3045:53 :::* 3868/dnsmasq
udp 0 0 fe80::7c7f:f8ff:fe60:983a:53 :::* 3868/dnsmasq
udp 0 0 fe80::7c7f:f8ff:fe60:983a:53 :::* 3868/dnsmasq
udp 0 0 fe80::7c7f:f8ff:fe60:983b:53 :::* 3868/dnsmasq
udp 0 0 fe80::800c:43ff:fe26:6000:53 :::* 3868/dnsmasq
udp 0 0 fe80::20c:43ff:fe26:6000:53 :::* 3868/dnsmasq
[]
Error: No such object: hello
table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "br-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname "docker0" jump input_docker comment "!fw4: Handle docker IPv4/IPv6 input traffic"
iifname { "myzone", "br-bfb7103a6c31" } jump input_myzone comment "!fw4: Handle myzone IPv4/IPv6 input traffic"
jump handle_reject
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "br-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname "docker0" jump forward_docker comment "!fw4: Handle docker IPv4/IPv6 forward traffic"
iifname { "myzone", "br-bfb7103a6c31" } jump forward_myzone comment "!fw4: Handle myzone IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "br-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname "docker0" jump output_docker comment "!fw4: Handle docker IPv4/IPv6 output traffic"
oifname { "myzone", "br-bfb7103a6c31" } jump output_myzone comment "!fw4: Handle myzone IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
iifname "docker0" jump helper_docker comment "!fw4: Handle docker IPv4/IPv6 helper assignment"
iifname { "myzone", "br-bfb7103a6c31" } jump helper_myzone comment "!fw4: Handle myzone IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter packets 1002 bytes 74241 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 1850 bytes 594968 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 7 bytes 4032 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 335 bytes 20784 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 166 bytes 11288 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
meta nfproto ipv4 oifname "br-wan" ct state invalid counter packets 113 bytes 4520 drop comment "!fw4: Prevent NAT leakage"
oifname "br-wan" counter packets 4662 bytes 677933 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "br-wan" counter packets 4304 bytes 1438405 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "br-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain input_docker {
jump accept_from_docker
}
chain output_docker {
jump accept_to_docker
}
chain forward_docker {
jump accept_to_docker
}
chain helper_docker {
}
chain accept_from_docker {
iifname "docker0" counter packets 0 bytes 0 accept comment "!fw4: accept docker IPv4/IPv6 traffic"
}
chain accept_to_docker {
oifname "docker0" counter packets 12 bytes 1312 accept comment "!fw4: accept docker IPv4/IPv6 traffic"
}
chain input_myzone {
jump reject_from_myzone
}
chain output_myzone {
jump accept_to_myzone
}
chain forward_myzone {
jump accept_to_wan comment "!fw4: Accept myzone to wan forwarding"
jump reject_to_myzone
}
chain helper_myzone {
}
chain accept_to_myzone {
oifname { "myzone", "br-bfb7103a6c31" } counter packets 14 bytes 1452 accept comment "!fw4: accept myzone IPv4/IPv6 traffic"
}
chain reject_from_myzone {
iifname { "myzone", "br-bfb7103a6c31" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject myzone IPv4/IPv6 traffic"
}
chain reject_to_myzone {
oifname { "myzone", "br-bfb7103a6c31" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject myzone IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "br-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "br-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname "br-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
}
trendy
June 12, 2023, 9:26am
8
You can either move the docker interface in lan firewall zone or add a forwarding from firewall zone lan to docker.
Your first idea is what I would like to do, could your please tell me how to do that, I'm not familiar with this configuration
trendy
June 12, 2023, 10:03am
10
Try this one:
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@zone[2]="docker"
uci del firewall.docker.network
uci del firewall.lan.network
uci add_list firewall.lan.network='docker'
uci add_list firewall.lan.network='lan'
uci del firewall.docker
uci commit firewall
service firewall restart
I still can acces my container thought curl http://IP_OF_LAN via my laptop, do I need to add a route or something like that ?
trendy
June 12, 2023, 2:56pm
12
Can or can't? I suppose can't.ip -4 ronft list ruleset ?
Sorry, I still can't access my container
The route is present on the host, and here are the nft rules :
root@fwap:~# nft list ruleset
table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname { "br-lan", "docker0" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "br-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname { "myzone", "br-bfb7103a6c31" } jump input_myzone comment "!fw4: Handle myzone IPv4/IPv6 input traffic"
iifname "docker0" jump input_docker comment "!fw4: Handle docker IPv4/IPv6 input traffic"
jump handle_reject
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname { "br-lan", "docker0" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "br-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname { "myzone", "br-bfb7103a6c31" } jump forward_myzone comment "!fw4: Handle myzone IPv4/IPv6 forward traffic"
iifname "docker0" jump forward_docker comment "!fw4: Handle docker IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
oifname { "br-lan", "docker0" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "br-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname { "myzone", "br-bfb7103a6c31" } jump output_myzone comment "!fw4: Handle myzone IPv4/IPv6 output traffic"
oifname "docker0" jump output_docker comment "!fw4: Handle docker IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname { "br-lan", "docker0" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
iifname { "myzone", "br-bfb7103a6c31" } jump helper_myzone comment "!fw4: Handle myzone IPv4/IPv6 helper assignment"
iifname "docker0" jump helper_docker comment "!fw4: Handle docker IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname { "br-lan", "docker0" } counter packets 1207 bytes 95927 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname { "br-lan", "docker0" } counter packets 2517 bytes 914804 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 33 bytes 19008 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 294 bytes 19440 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 314 bytes 21352 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
meta nfproto ipv4 oifname "br-wan" ct state invalid counter packets 657 bytes 38496 drop comment "!fw4: Prevent NAT leakage"
oifname "br-wan" counter packets 5941 bytes 647158 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "br-wan" counter packets 900 bytes 126639 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "br-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain input_myzone {
jump reject_from_myzone
}
chain output_myzone {
jump accept_to_myzone
}
chain forward_myzone {
jump accept_to_wan comment "!fw4: Accept myzone to wan forwarding"
jump reject_to_myzone
}
chain helper_myzone {
}
chain accept_to_myzone {
oifname { "myzone", "br-bfb7103a6c31" } counter packets 8 bytes 788 accept comment "!fw4: accept myzone IPv4/IPv6 traffic"
}
chain reject_from_myzone {
iifname { "myzone", "br-bfb7103a6c31" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject myzone IPv4/IPv6 traffic"
}
chain reject_to_myzone {
oifname { "myzone", "br-bfb7103a6c31" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject myzone IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "br-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "br-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname "br-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
chain input_docker {
jump accept_from_docker
}
chain output_docker {
jump accept_to_docker
}
chain forward_docker {
jump accept_to_docker
}
chain helper_docker {
}
chain accept_from_docker {
iifname "docker0" counter packets 0 bytes 0 accept comment "!fw4: accept docker IPv4/IPv6 traffic"
}
chain accept_to_docker {
oifname "docker0" counter packets 0 bytes 0 accept comment "!fw4: accept docker IPv4/IPv6 traffic"
}
}
Hello, sorry I replied but it has not been saved.
Thank you very much for your help.
1 Like
trendy
June 13, 2023, 8:49pm
15
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
I have one more question please. I need to have internet access in my container. I'd configured some firewall rules before the modifications and it worked. Now it's not working anymore, how can I solve that ?
I checked on the forum, there is multiple topics on that but I did not found how to solve..
trendy
June 14, 2023, 11:17am
17
Did you try a port forward to the IP of the container and it didn't work?
So simple
1 Like
system
June 24, 2023, 11:56am
19
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
