- Docker inserts iptables rules when it's started by default
- buster uses nftables by default
- let's make Docker use nftables instead
- PROFIT
Install Docker CE and nftables:
$ sudo apt-get install nftables
$ sudo systemctl --now enable nftables
Manually (create/modify daemon.json before starting docker.service):
$ sudo systemctl start docker
$ sudo systemctl stop docker containerd
$ sudo iptables-save > iptables-docker.conf
$ sudo iptables-restore-translate -f iptable-docker.conf > docker.nft
$ sudo nft flush ruleset
$ sudo nft -f docker.nft
$ sudo nft -s list ruleset > /etc/nftables-docker.conf
tl;dr
$ curl -fsSLO https://gist.github.com/goll/bdd6b43c2023f82d15729e9b0067de60/raw/nftables-docker.sh
$ sudo bash -x nftables-docker.sh
For a persistent config just overwrite /etc/nftables.conf with /etc/nftables-docker.conf
If you prefer manual start/stop you can create an alias for example:
alias dock-on='sudo nft -f /etc/nftables-docker.conf && sudo systemctl start docker'
alias dock-off='sudo systemctl stop docker containerd && sudo nft -f /etc/nftables.conf && sudo ip l d docker0'
It is very strange, because Docker sets up its FORWARD chain's policy as "drop" (for a reason). But in your case it is accept for some reason.