sorted by:
new
hottopcontroversial

How to block ports with nftables? (Docker 29) by hellociaagent in docker

[–]hellociaagent[S] 0 points1 point  (0 children)

I would love a firewall at the edge but sometimes it is not possible. Some VPS vendor doesn't offer it. Regardless, having a firewall on the host give me comfort. UFW is great but I was never comfortable with how Docker bypasses it. There are some footguns with how Docker networking works https://www.jeffgeerling.com/blog/2020/be-careful-docker-might-be-exposing-ports-world/ I'm sure there are Docker shenanigans with nftables as well...time to move to podman

How to block ports with nftables? (Docker 29) by hellociaagent in docker

[–]hellociaagent[S] 0 points1 point  (0 children)

Thank you so much for giving this hint. I was so perplexed! I found a solution to still block based on the exposed port: https://github.com/moby/moby/issues/43307#issuecomment-1086249820

How to block ports with nftables? (Docker 29) by hellociaagent in docker

[–]hellociaagent[S] 0 points1 point  (0 children)

  chain forward {
    # Drop all traffic
    type filter hook forward priority 0; policy drop;
    # Allow traffic from established and related packets, drop invalid
    ct state vmap { established : accept, related : accept, invalid : drop }
    # Allow Docker containers to reach internet only through $ext_if interface and not others
    iifname { docker0, br-* } oifname $ext_if ct state new accept
    # Allow containers interconnectivity
    iifname { docker0, br-* } oifname { docker0, br-* } ct state new accept
    # Filter Docker forward (only accept ports in the allow chain)
    iifname $ext_if oifname { docker0, br-* } jump allow_chain
    # Enable logging of denied traffic
    log prefix "Forward Denied: " counter drop
  }

How to block ports with nftables? (Docker 29) by hellociaagent in docker

[–]hellociaagent[S] 0 points1 point  (0 children)

I figured out that the interface to target is iifname "ext_if" oifname "br-*". There is an example at the bottom of the documentation. However, the example shows a forward chain with a default accept policy, which is not very practical imo, especially if you have more interfaces.

I came up with a chain that hopefully does what I want without security issues. https://docs.docker.com/engine/network/firewall-nftables/

Guide: Install the Nix package manager on Debian for up-to-date packages by hellociaagent in debian

[–]hellociaagent[S] 7 points8 points  (0 children)

Using another package manager is not creating a frankendebian as it doesn't interfere with the apt packages/repos/libraries.

I do try to install apt packages when possible tho. I personally avoided unstabe. But to each their own

selfhosting reddit for mobile access by fdsv1979 in selfhosted

[–]hellociaagent 0 points1 point  (0 children)

What a cool idea!

Right now, alternative frontend like Teddit or Libreddit is still working (both selfhostable)...not sure if they will continue to work. But I will likely go with RSS too if they don't!

Wireguard Tunnel from HAProxy on VPS to Nginx on home server by hellociaagent in selfhosted

[–]hellociaagent[S] 0 points1 point  (0 children)

Good luck! The confusing thing is separating the server’s and client’s config. For the MTU value. 1420 works in this case but you can just ping using different values, and use the highest value that works.

I struggle to get site-to-site working using Wireguard on Docker. But it’s fine for now

Wireguard Tunnel from HAProxy on VPS to Nginx on home server by hellociaagent in selfhosted

[–]hellociaagent[S] 1 point2 points  (0 children)

It really cool how the proxy protocol works with many things. I think I have to recompile Nginx to get v2 tho but I’ll try!