Created
February 25, 2016 14:26
-
-
Save dearing/9388218f3c6ef6e48114 to your computer and use it in GitHub Desktop.
nftables with docker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/systemd/system/docker.service.d/docker-nftables.conf | |
| # disable iptables in docker, allowing nftables to do work | |
| [Service] | |
| ExecStart= | |
| ExecStart=/usr/bin/docker daemon -H fd:// --iptables=false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/nft -f | |
| # /etc/nftables.conf | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority 0; | |
| # allow established/related connections | |
| ct state {established, related} counter accept | |
| # early drop of invalid connections | |
| ct state invalid counter drop | |
| # allow from loopback | |
| iifname lo counter accept | |
| # allow icmp | |
| ip protocol icmp counter accept | |
| ip6 nexthdr icmpv6 counter accept | |
| # allow ssh | |
| # tcp dport ssh counter accept | |
| # everything else | |
| counter reject with icmp type port-unreachable | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; | |
| # drop | |
| } | |
| chain output { | |
| type filter hook output priority 0; | |
| } | |
| } | |
| table ip nat { | |
| chain prerouting { | |
| type nat hook prerouting priority 0; | |
| } | |
| chain postrouting { | |
| type nat hook postrouting priority 0; | |
| oifname "eno1" counter masquerade | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| cat > /etc/systemd/network/ipforward.network <<EOF | |
| [Network] | |
| IPForward=ipv4 | |
| EOF | |
| cat > /etc/systemd/network/99-docker.conf <<EOF | |
| net.ipv4.ip_forward = 1 | |
| EOF | |
| sysctl -w net.ipv4.ip_forward=1 |
Also should use /etc/docker/daemon.json, settings {"iptables": false}, rather than using a custom systemd config file (or service).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Change
ExecStart=on the second line toExecStart=/usr/bin/dockerd -H fd:// --iptables=falseand it should work.