Im trying to setup my box to route internet from end0 (192.168.1.6) to internet on usb0 (dhcp). Im running dns & dhcp via docker adguard - but assume thats not working for now because once the nftable rules are applied I cannot access their web interfaces. But for now ping with ip is okay.
With my current setup I can ping the internet from the ‘router’ via the interface usb0. But I cannot ping from the interface end0.
default via 192.168.102.208 dev usb0
default via 192.168.102.208 dev usb0 proto dhcp src 192.168.102.114 metric 1024
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown <- docker?
172.18.0.0/16 dev br-cc00a7d88795 proto kernel scope link src 172.18.0.1 <- docker?
192.168.1.0/24 dev end0 proto kernel scope link src 192.168.1.6
192.168.102.0/24 dev usb0 proto kernel scope link src 192.168.102.114 metric 1024
192.168.102.208 dev usb0 proto dhcp scope link src 192.168.102.114 metric 1024
ok, its mostly working…I can access internet from other devices on the network.
I still cant ping from the router using ping 8.8.8.8 -I end0 ← should this be the expectged behaviour?
The next problem I have is how to make these rules persistent and still have docker work? When i restart all the docker rules are back and the internet doesnt work.
Then there is also this note Packet filtering and firewalls | Docker Docs
So ive tried adding in a extra rule for the DOCKER-USER, however when rebooting its still not allowing the routing to work:
This is just a duplicate rule with a random chain name, and it will only ever use one. But it’s not even using your Docker network.
Docker installs by default bridge-utils, and uses iptables. But it does install rules to accommodate other types of networks: host, bridge, nat, etc.
It is possible to use both iptables and nftables, but there is a few things that can you have to do to make it all work. So I would probably put it all into nftables.
I do not have the time to fully set it up myself to test, but this may help you… After a Manjaro vanilla Docker install in a VM:
# Note: "iptables.rules" is a temporary file
$ sudo iptables-save > iptables.rules
$ iptables-restore-translate -f iptables.rules
# Translated by iptables-restore-translate v1.8.10 on Sun Nov 24 10:44:24 2024
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }
add chain ip nat INPUT { type nat hook input priority 100; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
add chain ip nat DOCKER
add rule ip nat PREROUTING fib daddr type local counter jump DOCKER
add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
add rule ip nat POSTROUTING oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
add rule ip nat DOCKER iifname "docker0" counter return
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy accept; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add chain ip filter DOCKER
add chain ip filter DOCKER-ISOLATION-STAGE-1
add chain ip filter DOCKER-ISOLATION-STAGE-2
add chain ip filter DOCKER-USER
add rule ip filter FORWARD counter jump DOCKER-USER
add rule ip filter FORWARD counter jump DOCKER-ISOLATION-STAGE-1
add rule ip filter FORWARD oifname "docker0" ct state related,established counter accept
add rule ip filter FORWARD oifname "docker0" counter jump DOCKER
add rule ip filter FORWARD iifname "docker0" oifname != "docker0" counter accept
add rule ip filter FORWARD iifname "docker0" oifname "docker0" counter accept
add rule ip filter DOCKER-ISOLATION-STAGE-1 iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2
add rule ip filter DOCKER-ISOLATION-STAGE-1 counter return
add rule ip filter DOCKER-ISOLATION-STAGE-2 oifname "docker0" counter drop
add rule ip filter DOCKER-ISOLATION-STAGE-2 counter return
add rule ip filter DOCKER-USER counter return
# Completed on Sun Nov 24 10:44:24 2024
These are all the rules converted to nft format displayed in stdout. So you could add these rules to your existing rule set.
But I noticed you were trying to use the interface br-cc00a7d88795, so this probably won’t work for you without substituting and/or adding rules. Where is that interface from? I assume the br- means bridge.
This is me just installing Docker in a VM, so no WiFi stick or rules related to that, but they can all work together.
As you can see it installed docker0 as a bridged interface in mine:
$ nmcli conn
NAME UUID TYPE DEVICE
Wired connection 1 57bfee8f-4821-3c70-99f8-871796a89eb2 ethernet enp11s0
lo f29f84bc-9d59-41a5-82a7-fc685fa35133 loopback lo
docker0 eaac8cee-72dd-417f-a451-b5a4c7e279a5 bridge docker0
$ brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242b9c60ef4 no