I recently decided to switch from using `iptables` to `nftables` for managing my Docker firewall rules. However, I'm running into some confusion about how traffic still reaches my container without active `iptables` rules. Here's what I've set up: I disabled both `ipv4` and `ipv6` management through `iptables` by Docker, prevented the creation of the default `docker0` interface, and created a custom interface called `docker_if`. I also established `dnat` rules to reroute incoming traffic to my Grafana container that's exposed on port 1236. Despite these efforts, I've noticed that connections can still be established even after removing those `dnat` rules. I'm puzzled about how packets get translated to the corresponding address and port set in my `docker-compose.yml` if `iptables` is disabled. Also, why don't I see any packets destined for port 3000 when running `nft monitor trace`?
2 Answers
When `iptables` management is disabled, Docker relies on a process called `docker-proxy` running on the host to forward traffic to the containers. This process creates new connections as necessary. For instance, if there’s traffic directed to your host’s IPv6 address while the container only supports IPv4, `docker-proxy` captures that traffic and redirects it to the appropriate container IP and port, which is why you're still seeing connections succeed.
Packets typically reach the container via the PREROUTING chain in the NAT table, which you might have overlooked. It's common for `iptables` to alias commands into `nftables`, so it's worth double-checking your settings there. If your tables are empty, ensure you didn't miss setting up both the prerouting and postrouting chains. In many Linux distributions, iptables can still be operating as a frontend for `nftables`, so I'd recommend checking your distro's documentation regarding this to clear up confusion.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures