Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

eth to wifi bridge and iptables
 View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23059
PostPosted: Fri Nov 03, 2017 1:52 am    Post subject: Reply with quote
Your DOCKER-ISOLATION chain appears not to isolate much anymore. According to your most recent output, it is now extremely permissive (unless, as before, the use of iptables instead of iptables-save is hiding important qualifiers).
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 112
PostPosted: Sun Nov 05, 2017 9:11 pm    Post subject: Reply with quote
I don't know, here the output of iptables-save:
Code:

# Generated by iptables-save v1.4.21 on Sun Nov  5 22:10:59 2017
*nat
:PREROUTING ACCEPT [1694185:197740209]
:INPUT ACCEPT [1594000:183898950]
:OUTPUT ACCEPT [578303:41704595]
:POSTROUTING ACCEPT [678029:55516221]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun Nov  5 22:10:59 2017
# Generated by iptables-save v1.4.21 on Sun Nov  5 22:10:59 2017
*mangle
:PREROUTING ACCEPT [8493742134:8923655099670]
:INPUT ACCEPT [8477808691:8912262260768]
:FORWARD ACCEPT [16004336:11442317906]
:OUTPUT ACCEPT [7211751259:10274954884128]
:POSTROUTING ACCEPT [7227814205:10286424050410]
COMMIT
# Completed on Sun Nov  5 22:10:59 2017
# Generated by iptables-save v1.4.21 on Sun Nov  5 22:10:59 2017
*filter
:INPUT ACCEPT [346371006:297356148792]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [319588332:471215114641]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:f2b-SSH - [0:0]
-A INPUT -p tcp -m tcp --dport 32 -j f2b-SSH
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION -j ACCEPT
-A DOCKER-ISOLATION -i any -o any
-A DOCKER-ISOLATION
-A DOCKER-ISOLATION -j RETURN
-A f2b-SSH -j RETURN
COMMIT
# Completed on Sun Nov  5 22:10:59 2017
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23059
PostPosted: Sun Nov 05, 2017 9:19 pm    Post subject: Reply with quote
That's much more readable. Thank you.

As hinted at by the terse output, and explicitly confirmed here, your DOCKER-ISOLATION chain now ACCEPTs all traffic. Since FORWARD passes all traffic to it, your FORWARD policy of DROP is irrelevant. Every forwarding decision is ACCEPTed by DOCKER-ISOLATION before more specific rules can act on it. This is why your networking works again. You can simplify this by removing all rules from the FORWARD chain and changing its policy to ACCEPT. You will get the same effect with less work.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy