$ php -r "new mysqli('mysql_db','root', 'pass','database');"
$ PHP Warning: mysqli::__construct(): (HY000/2002): Connection refused in Command line code on line 1
root@OpenWrt:~# cat /etc/sysctl.d/12-br-netfilter-ip.conf
# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings
# enable bridge firewalling for docker
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
These parameters determine whether packets crossing a bridge are sent to iptables for processing. What this could break is (at least to my understanding):
When you have two docker containers in different docker networks and you want them to communicate between each other you could set up iptables rules for that. For this to work you would need:
net.bridge.bridge-nf-call-iptables=1
But other than that with net.bridge.bridge-nf-call-iptables disabled you can still have:
2 or more docker containers on the same network communicating with each other
This should not expose any ports to the internet. What’s the output of:
root@OpenWrt:~# cat /etc/config/dockerd
# The following settings require a restart of docker to take full effect, A reload will only have partial or no effect:
# log_driver
# bip
# blocked_interfaces
# extra_iptables_args
# device
config globals 'globals'
# option alt_config_file '/etc/docker/daemon.json'
option data_root '/opt/docker/'
# option log_driver 'local'
option log_level 'warn'
option iptables '1'
# list hosts 'unix:///var/run/docker.sock'
# option bip '172.18.0.1/24'
# option fixed_cidr '172.17.0.0/16'
# option fixed_cidr_v6 'fc00:1::/80'
# option ipv6 '1'
# option ip '::ffff:0.0.0.0'
# list dns '172.17.0.1'
# list registry_mirrors 'https://<my-docker-mirror-host>'
# list registry_mirrors 'https://hub.docker.com'
# Docker doesn't work well out of the box with fw4. This is because Docker relies on a compatibility layer that
# naively translates iptables rules. For the best compatibility replace the following dependencies:
# `firewall4` -> `firewall`
# `iptables-nft` -> `iptables-legacy`
# `ip6tables-nft` -> `ip6tables-legacy`
# Docker undermines the fw3 rules. By default all external source IPs are allowed to connect to the Docker host.
# See https://docs.docker.com/network/iptables/ for more details.
# firewall config changes are only additive i.e firewall will need to be restarted first to clear old changes,
# then docker restarted to load in new changes.
config firewall 'firewall'
option device 'docker0'
list blocked_interfaces 'wan'
# option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections
You are on version 22.03 so you probably are using firewall4 with nftables.
You could verify running: fw4 check
Your config looks good to me. Maybe someone else will spot any issues. So, is your service still accessible through your public ip?
Have you tried restarting your firewall + docker or rebooting your router?
The only thing I noticed is your current version. You are still on 22.03.0 and the latest stable version is 22.03.02. I would advice you to update to latest stable version and try again. Maybe there was a bug.
Also, docker natively runs on iptables, so I think there were some issues in the past with firewall4, nftables and docker. I don’t know what the current status of using docker with nftables is (I’m using a fw3 build with iptables).