docker-nftables-scripts icon indicating copy to clipboard operation
docker-nftables-scripts copied to clipboard
verified publisher icon oniGino

Outgoing Forward missing

Open TheFox opened this issue 6 years ago • 1 comments

Hello,

thank you for providing such a script. This is really nice.

There is one rule I miss. When I want to ping from inside the Docker container, for example, ping 8.8.8.8, I'm getting blocked:

NFTABLES IPv4 FORWARD DROP - IN=docker0 OUT=eno1 PHYSIN=veth1504c43 SRC=172.17.0.4 DST=8.8.8.8 ...

I'm logging the Drops with another nftables hook and include your's into my main script at the beginning using include "/etc/nftables_docker.nft".

I wanted to add

iif docker0 oif eno1 accept

at the end of your forward hook, but this doesn't seem to work.

TheFox avatar Jul 23 '19 15:07 TheFox

Hi TheFox,

better later then never. I was dealing with docker (disabled iptables) and nftables for a long time now, without access to the world from my container.

To make it short, I added/inserted the same forward rule like you at line 10 (for me eth0 as oif). 2 days ago I've found out, that the following command finally enables, what you put in the conf.

nft -f /etc/nftables.conf

After this your ping tests are successful.

SiliconAlley avatar Sep 07 '20 20:09 SiliconAlley