nftables
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
nftables [2019/07/13 21:09] ww created |
nftables [2022/03/16 09:38] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== nftables ====== | ====== nftables ====== | ||
| + | |||
| + | ===== Otestuj si pravidla, než se ustřelíš... ===== | ||
| + | |||
| + | <code bash>sh -c 'nft -f / | ||
| + | |||
| + | ===== Další poznámky ===== | ||
| + | |||
| + | * Pro NAT je potřeba vytvořit chain '' | ||
| + | |||
| + | ===== The Pravidla ===== | ||
| < | < | ||
| Line 83: | Line 93: | ||
| jump global | jump global | ||
| + | | ||
| + | # loopback | ||
| + | oif lo accept | ||
| tcp dport $port_dns accept | tcp dport $port_dns accept | ||
| Line 107: | Line 120: | ||
| </ | </ | ||
| + | ---- | ||
| + | |||
| + | ===== The NAT ===== | ||
| + | |||
| + | < | ||
| + | table ip nat { | ||
| + | chain prerouting { | ||
| + | type nat hook prerouting priority 0; | ||
| + | policy accept; | ||
| + | | ||
| + | iif " | ||
| + | } | ||
| + | } | ||
| + | </ | ||
| + | |||
| + | ===== Docker smrdí ===== | ||
| + | |||
| + | ==== Komunikace host <-> container ==== | ||
| + | - Smazat ''/ | ||
| + | - Udělat si override pro síť dockeru, aby se daly ručně specifikovat pravidla na vyžádané IP adresy: | ||
| + | '' | ||
| + | <code json>{ | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | }</ | ||
| + | |||
| + | - Přidat do nftables: | ||
| + | < | ||
| + | table inet filter { | ||
| + | chain output { | ||
| + | # Docker | ||
| + | oifname " | ||
| + | } | ||
| + | } | ||
| + | </ | ||
nftables.1563044957.txt.gz · Last modified: 2022/03/16 09:38 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
