Давно уже не использую iptables и вырубил его использование у докера вообще, только мешается.Вот все достаточно просто:
root@localhost:~# cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} accept comment "established, related"
iif lo accept comment "accept loopback"
ip saddr 192.168.0.0/16 accept comment "accept private networks"
ip saddr 172.16.0.0/12 accept comment "accept private networks"
ip saddr 10.0.0.0/8 accept comment "accept private networks"
ip protocol icmp accept comment "accept all ICMP types"
#log prefix "Dropped: " flags all drop comment "dropped packets logger"
#log prefix "Rejected: " flags all reject comment "rejected packets logger"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy accept;
counter jump docker-user
counter jump docker-isolation-stage-1
oifname "docker0" ct state related,established counter accept
oifname "docker0" counter jump docker
iifname "docker0" oifname != "docker0" counter accept
iifname "docker0" oifname "docker0" counter accept
}
chain output {
type filter hook output priority 0; policy accept;
}
chain docker {
}
chain docker-isolation-stage-1 {
iifname "docker0" oifname != "docker0" counter jump docker-isolation-stage-2
counter return
}
chain docker-isolation-stage-2 {
oifname "docker0" counter drop
counter return
}
chain docker-user {
counter return
}
}
table ip nat {
chain prerouting { type nat hook prerouting priority -100; policy accept;
fib daddr type local counter jump docker
}
chain input { type nat hook input priority 100; policy accept; }
chain output { type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter jump docker
}
chain postrouting { type nat hook postrouting priority 100; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
}
chain docker{
iifname "docker0" counter return
}
}