2021-08-20
nftable not ready with docker

nftablesというiptablesの代わりになるファイアウォールがある。debian buster(10)はnftablesをデフォルトで使う。それならばと思い、nftablesの設定ファイルの書き方を勉強していたのだが、どうやらdockerとnftablesを一緒に使うのは難しいらしい。dockerのlibcontainerはiptablesに強く依存している。今はまだiptablesを使うのが賢明かもしれない。

dockerとファイアウォールの設定

$ sudo /sbin/iptables -t nat -vL

(some columns are not shown)

Chain PREROUTING (policy ACCEPT)
target     prot in         out      source        destination
DOCKER     all  any        any      anywhere      anywhere      ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot in         out      source        destination
MASQUERADE all  any        !docker0 172.17.0.0/16 anywhere
MASQUERADE tcp  any        any      172.17.0.2    172.17.0.2    tcp dpt:http

Chain OUTPUT (policy ACCEPT)
target     prot in         out      source        destination
DOCKER     all  in         out      anywhere      !127.0.0.0/8  ADDRTYPE match dst-type LOCAL

Chain DOCKER (2 references)
target     prot in         out      source        destination
RETURN     all  docker0    any      anywhere      anywhere
DNAT       tcp  !docker0   any      anywhere      anywhere      tcp dpt:http to:172.17.0.2:80

Incoming to Docker

  1. (PREROUTING) All incoming packet to LOCAL IP (which is the server IP?) is redirected to DOCKER chain.
  2. In DOCKER chain, if dest port is http(80), apply DNAT and redirect the packet to 172.17.0.2:80.

Outgoing from Docker

  1. (PREROUTING) All outgoing packet just goes out
  2. (POSTROUTING) outgoing packet from source = 172.17.0.0/16 is IP masqueraded.

Docker to Docker

  1. IP routing table routes 172.17.0.0/16 to 0.0.0.0.
  2. This routing initiates PREROUTING chain.
$ sudo /sbin/iptables -vL

Chain FORWARD (policy DROP)
target                   prot in      out      source    destination
DOCKER-USER              all  any     any      anywhere  anywhere
DOCKER-ISOLATION-STAGE-1 all  any     any      anywhere  anywhere
ACCEPT                   all  any     docker0  anywhere  anywhere ctstate RELATED,ESTABLISHED
DOCKER                   all  any     docker0  anywhere  anywhere
ACCEPT                   all  docker0 !docker0 anywhere  anywhere
ACCEPT                   all  docker0 docker0  anywhere  anywhere

Chain DOCKER (1 references)
target     prot  in       out      source     destination
ACCEPT     tcp   !docker0 docker0  anywhere   172.17.0.2    tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target                    prot opt in      out      source      destination
DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0 anywhere    anywhere
RETURN                    all  --  any     any      anywhere    anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt in     out     source               destination
DROP       all  --  any    docker0  anywhere             anywhere
RETURN     all  --  any    any      anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt in     out     source               destination
RETURN     all  --  any    any     anywhere             anywhere
Tags: