TL;DR: how do I configure firewall rules to be persistent? I am not using UFW, I believe I am using iptables-nft.
First, I have
- started from pretty recent vanilla Ubuntu 22.04LTS installation (some misc tools added)
- installed Docker using apt packages (repo https://download.docker.com/linux/ubuntu)
- installed LXD using snap
There's some known firewall issues with Docker and LXD coexisting, but I want to use both and AFAIK both should be achievable, and this did work on my previous host (which was Ubuntu 18).
Out of the box Docker networking worked, LXD did not, and iptables commands showed this kind of firewall configuration:
sudo iptables -L# Warning: iptables-legacy tables present, use iptables-legacy to see themChain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy DROP)target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHEDDOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT)target prot opt source destination Chain DOCKER (1 references)target prot opt source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references)target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (1 references)target prot opt source destination DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references)target prot opt source destination RETURN all -- anywhere anywhere and
sudo iptables-legacy -LChain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination The "Warning: iptables-legacy tables present" was a bit concerning, but I was not able to figure out if it is a problem I need to fix. I had not done any firewall customization myself at this point.
I got LXD fixed by adding these rules (last one to make it less open)
sudo iptables -I DOCKER-USER -o lxdbr0 -j ACCEPTsudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPTsudo iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROPBut now I don't know how to make these permanent.
There is /etc/nftables.conf but it only has this blank configuration
#!/usr/sbin/nft -fflush rulesettable inet filter { chain input { type filter hook input priority 0; } chain forward { type filter hook forward priority 0; } chain output { type filter hook output priority 0; }}and when I execute nft list ruleset, there's a lot of Docker and LXD related configuration that obviously does not come from nftables.conf, and I don't know if it's supposed to be dynamic and configured by something else than me manually editing nftables.conf file.
So now I have created a script setup-lxd-networking.sh that does those iptables -I commands that I run by hand, but that's not very nice.
sudo nft list ruleset...table ip filter { chain DOCKER { } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter packets 18 bytes 1393 jump DOCKER-ISOLATION-STAGE-2 counter packets 181 bytes 18684 return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter packets 0 bytes 0 drop counter packets 18 bytes 1393 return } chain FORWARD { type filter hook forward priority filter; policy drop; counter packets 209 bytes 35269 jump DOCKER-USER counter packets 181 bytes 18684 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state related,established counter packets 14 bytes 8351 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 18 bytes 1393 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept } chain DOCKER-USER { iifname "ext_if" ip saddr != 192.168.1.0/24 counter packets 0 bytes 0 drop iifname "lxdbr0" counter packets 15 bytes 866 accept oifname "lxdbr0" counter packets 13 bytes 15719 accept counter packets 181 bytes 18684 return }}table inet lxd { chain pstrt.lxdbr0 { type nat hook postrouting priority srcnat; policy accept; ip saddr 10.5.62.0/24 ip daddr != 10.5.62.0/24 masquerade ip6 saddr fd42:dbed:893c:1f91::/64 ip6 daddr != fd42:dbed:893c:1f91::/64 masquerade } chain fwd.lxdbr0 { type filter hook forward priority filter; policy accept; ip version 4 oifname "lxdbr0" accept ip version 4 iifname "lxdbr0" accept ip6 version 6 oifname "lxdbr0" accept ip6 version 6 iifname "lxdbr0" accept } chain in.lxdbr0 { type filter hook input priority filter; policy accept; iifname "lxdbr0" tcp dport 53 accept iifname "lxdbr0" udp dport 53 accept iifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept iifname "lxdbr0" udp dport 67 accept iifname "lxdbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept iifname "lxdbr0" udp dport 547 accept } chain out.lxdbr0 { type filter hook output priority filter; policy accept; oifname "lxdbr0" tcp sport 53 accept oifname "lxdbr0" udp sport 53 accept oifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept oifname "lxdbr0" udp sport 67 accept oifname "lxdbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept oifname "lxdbr0" udp sport 547 accept }}