WereDoku

User Tools

Site Tools

Trace: nftables
nftables

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
nftables [2019/07/13 21:19]
ww 		nftables [2022/03/16 09:38] (current)
Line 93: Line 93:
  
     jump global     jump global
 +    
 +    # loopback
 +    oif lo accept
  
     tcp dport $port_dns accept     tcp dport $port_dns accept
Line 117: Line 120:
 </code> </code>
  
 +----
  
 +===== The NAT =====
 +
 +<code>
 +table ip nat {
 +  chain prerouting {
 +    type nat hook prerouting priority 0;
 +    policy accept;
 +    
 +    iif "tun0" tcp dport 12345 dnat to 192.168.1.10:3389
 +  }
 +}
 +</code>
 +
 +===== Docker smrdí =====
 +
 +==== Komunikace host <-> container ====
 +  - Smazat ''/sbin/iptables'', jinak bude docker hrabat do firewallu. [info z 28. března 2020]
 +  - Udělat si override pro síť dockeru, aby se daly ručně specifikovat pravidla na vyžádané IP adresy:
 +  ''nano /etc/docker/daemon.json''
 +<code json>{
 +  "iptables": false, <-- "nehrabej do firewallu" / "tak určitěěě"
 +  "ipv6": true,
 +  "bip": "172.19.0.1/24", <-- "IP adresa hosta, na iface docker0"
 +  "fixed-cidr": "172.19.0.0/24", <-- "IPv4 rozsah pro containery"
 +  "fixed-cidr-v6": "2a02:8304:29:d00d:d00d::/80" <-- "IPv6 rozsah pro containery - ukrojeno z alokovaného /64"
 +}</code>
 +
 +  - Přidat do nftables:
 +<code>
 +table inet filter {
 +  chain output {
 +    # Docker
 +    oifname "docker*" accept
 +  }
 +}
 +</code>
nftables.1563045564.txt.gz · Last modified: 2022/03/16 09:38 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki