Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
nftables with docker
# /etc/systemd/system/docker.service.d/docker-nftables.conf
# disable iptables in docker, allowing nftables to do work
ExecStart=/usr/bin/docker daemon -H fd:// --iptables=false
#!/usr/bin/nft -f
# /etc/nftables.conf
table inet filter {
chain input {
type filter hook input priority 0;
# allow established/related connections
ct state {established, related} counter accept
# early drop of invalid connections
ct state invalid counter drop
# allow from loopback
iifname lo counter accept
# allow icmp
ip protocol icmp counter accept
ip6 nexthdr icmpv6 counter accept
# allow ssh
# tcp dport ssh counter accept
# everything else
counter reject with icmp type port-unreachable
chain forward {
type filter hook forward priority 0;
# drop
chain output {
type filter hook output priority 0;
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
chain postrouting {
type nat hook postrouting priority 0;
oifname "eno1" counter masquerade
cat > /etc/systemd/network/ <<EOF
cat > /etc/systemd/network/99-docker.conf <<EOF
net.ipv4.ip_forward = 1
sysctl -w net.ipv4.ip_forward=1

This comment has been minimized.

Copy link

commented Aug 10, 2017

For Ubuntu Xenial, /etc/systemd/system/docker.service.d/docker-nftables.conf needs to look like this

ExecStart=/usr/bin/dockerd -H fd:// --iptables=false

dockerd is supported on Ubuntu, not docker daemon.


This comment has been minimized.

Copy link

commented Jul 21, 2018

Hey I couldn't get this script to work properly so I wrote my own..

I made a direct port of the default chains the docker installs in iptables.


This comment has been minimized.

Copy link

commented Oct 31, 2018

@oniGino it would help to know why it didn't work? Was it the rules or something else?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.