kravietz · September 24, 2018 20:30
diff --git a/nftables-docker.conf b/nftables-docker.conf
 # Docker networking is messy and undocumented. Docker will create IP addresses and iptables at random times.
 # This can be limited by using totally static IP addresses for network interfaces and avoiding the default network bridge.

 # /etc/default/docker
 # DOCKER_OPTS="--iptables=false --ipv6 --bip 172.16.0.1/16 --fixed-cidr 172.16.0.0/16 --fixed-cidr-v6 2a01:9000::/68"
 # --bip is the host IP address of the docker0 interface
 # --fixed-cidr is the CIDR subnet allocated to the docker0 interface (default network bridge)
 # --fixed-cidr-v6 is the IPv6 CIDR allocated to docker0

 # for IPv6 split your /64 delegated subnet into /68 subnets and allocate them to each docker-compose.yml subnet:
 # docker-compose.yml
 # networks:
 #   web:
 #    driver: bridge
 #    enable_ipv6: true
 #    ipam:
 #      driver: default
 #      config:
 #      - subnet: "172.20.0.0/16"
 #      - subnet: "2a01:2000::/68"
 #  nginx:
 #    image: busybox
 #    networks:
 #      web:
 #        ipv4_address: "172.20.0.60"
 #        ipv6_address: "2a01:2000::60"

 table ip filter {
  chain input {
    iifname "br*" accept
    iifname docker0 accept
  }
  chain forward {
    iifname "br*" ip saddr 172.16.0.0/12 counter accept
    iifname "docker0" ip saddr 172.16.0.0/12 counter accept
    ct state established,related accept
    ip daddr 172.20.0.60 tcp dport https ct state new counter accept
  }
  chain nat {
    type nat hook postrouting priority 100; policy accept;
     oifname != "br*" ip saddr 172.16.0.0/12 counter masquerade
  }
  chain port_forwards {
    type nat hook prerouting priority -100; policy accept;
    iifname eth0 ip daddr {{ ansible_default_ipv4.address }} tcp dport https counter dnat 172.20.0.60
  }
 }

 table ip6 filter {
  chain forward {
     type filter hook forward priority 50; policy drop;

     iifname "docker0" counter accept
     iifname "br*" counter accept
     # for IPv6 we don't need any of the DNAT crap, just allow https directly to the routable IP inside docker
     ip6 daddr 2a01:2000::60 tcp dport https ct state new counter accept
 }
	# Docker networking is messy and undocumented. Docker will create IP addresses and iptables at random times.
	# This can be limited by using totally static IP addresses for network interfaces and avoiding the default network bridge.

	# /etc/default/docker
	# DOCKER_OPTS="--iptables=false --ipv6 --bip 172.16.0.1/16 --fixed-cidr 172.16.0.0/16 --fixed-cidr-v6 2a01:9000::/68"
	# --bip is the host IP address of the docker0 interface
	# --fixed-cidr is the CIDR subnet allocated to the docker0 interface (default network bridge)
	# --fixed-cidr-v6 is the IPv6 CIDR allocated to docker0

	# for IPv6 split your /64 delegated subnet into /68 subnets and allocate them to each docker-compose.yml subnet:
	# docker-compose.yml
	# networks:
	# web:
	# driver: bridge
	# enable_ipv6: true
	# ipam:
	# driver: default
	# config:
	# - subnet: "172.20.0.0/16"
	# - subnet: "2a01:2000::/68"
	# nginx:
	# image: busybox
	# networks:
	# web:
	# ipv4_address: "172.20.0.60"
	# ipv6_address: "2a01:2000::60"

	table ip filter {
	chain input {
	iifname "br*" accept
	iifname docker0 accept
	}
	chain forward {
	iifname "br*" ip saddr 172.16.0.0/12 counter accept
	iifname "docker0" ip saddr 172.16.0.0/12 counter accept
	ct state established,related accept
	ip daddr 172.20.0.60 tcp dport https ct state new counter accept
	}
	chain nat {
	type nat hook postrouting priority 100; policy accept;
	oifname != "br*" ip saddr 172.16.0.0/12 counter masquerade
	}
	chain port_forwards {
	type nat hook prerouting priority -100; policy accept;
	iifname eth0 ip daddr {{ ansible_default_ipv4.address }} tcp dport https counter dnat 172.20.0.60
	}
	}

	table ip6 filter {
	chain forward {
	type filter hook forward priority 50; policy drop;

	iifname "docker0" counter accept
	iifname "br*" counter accept
	# for IPv6 we don't need any of the DNAT crap, just allow https directly to the routable IP inside docker
	ip6 daddr 2a01:2000::60 tcp dport https ct state new counter accept
	}