Return to Question

added 1355 characters in body

edited Mar 22, 2023 at 23:25

so I guess this is related somehow to ip filter below

➜ sudo nft list table ip filter table ip filter { chain DOCKER { } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2 counter packets 98 bytes 8062 return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter packets 0 bytes 0 drop counter packets 15 bytes 956 return } chain FORWARD { type filter hook forward priority filter; policy drop; counter packets 98 bytes 8062 jump DOCKER-USER counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept iifname "br0" counter packets 70 bytes 5880 accept counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 iifname "br0" counter packets 0 bytes 0 accept iifname "br0" counter packets 0 bytes 0 accept } chain DOCKER-USER { counter packets 98 bytes 8062 return } }

so I guess this is related somehow to ip filter below

➜ sudo nft list table ip filter table ip filter { chain DOCKER { } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2 counter packets 98 bytes 8062 return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter packets 0 bytes 0 drop counter packets 15 bytes 956 return } chain FORWARD { type filter hook forward priority filter; policy drop; counter packets 98 bytes 8062 jump DOCKER-USER counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept iifname "br0" counter packets 70 bytes 5880 accept counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 iifname "br0" counter packets 0 bytes 0 accept iifname "br0" counter packets 0 bytes 0 accept } chain DOCKER-USER { counter packets 98 bytes 8062 return } }

added 12302 characters in body

Source Link

edited Mar 22, 2023 at 23:18

DmitrySemenov

sudo nft list ruleset

table inet firewalld { ct helper helper-netbios-ns-udp { type "netbios-ns" protocol udp l3proto ip } chain mangle_PREROUTING { type filter hook prerouting priority mangle + 10; policy accept; jump mangle_PREROUTING_ZONES } chain mangle_PREROUTING_POLICIES_pre { jump mangle_PRE_policy_allow-host-ipv6 } chain mangle_PREROUTING_ZONES { iifname "br0" goto mangle_PRE_FedoraWorkstation iifname "eth11" goto mangle_PRE_FedoraWorkstation iifname "eth01" goto mangle_PRE_FedoraWorkstation iifname "vpn0" goto mangle_PRE_FedoraWorkstation iifname "ens1f1" goto mangle_PRE_FedoraWorkstation iifname "docker0" goto mangle_PRE_docker goto mangle_PRE_FedoraWorkstation } chain mangle_PREROUTING_POLICIES_post { } chain nat_PREROUTING { type nat hook prerouting priority dstnat + 10; policy accept; jump nat_PREROUTING_ZONES } chain nat_PREROUTING_POLICIES_pre { jump nat_PRE_policy_allow-host-ipv6 } chain nat_PREROUTING_ZONES { iifname "br0" goto nat_PRE_FedoraWorkstation iifname "eth11" goto nat_PRE_FedoraWorkstation iifname "eth01" goto nat_PRE_FedoraWorkstation iifname "vpn0" goto nat_PRE_FedoraWorkstation iifname "ens1f1" goto nat_PRE_FedoraWorkstation iifname "docker0" goto nat_PRE_docker goto nat_PRE_FedoraWorkstation } chain nat_PREROUTING_POLICIES_post { } chain nat_POSTROUTING { type nat hook postrouting priority srcnat + 10; policy accept; jump nat_POSTROUTING_ZONES } chain nat_POSTROUTING_POLICIES_pre { } chain nat_POSTROUTING_ZONES { oifname "br0" goto nat_POST_FedoraWorkstation oifname "eth11" goto nat_POST_FedoraWorkstation oifname "eth01" goto nat_POST_FedoraWorkstation oifname "vpn0" goto nat_POST_FedoraWorkstation oifname "ens1f1" goto nat_POST_FedoraWorkstation oifname "docker0" goto nat_POST_docker goto nat_POST_FedoraWorkstation } chain nat_POSTROUTING_POLICIES_post { } chain nat_OUTPUT { type nat hook output priority -90; policy accept; jump nat_OUTPUT_POLICIES_pre jump nat_OUTPUT_POLICIES_post } chain nat_OUTPUT_POLICIES_pre { } chain nat_OUTPUT_POLICIES_post { } chain filter_PREROUTING { type filter hook prerouting priority filter + 10; policy accept; icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept meta nfproto ipv6 fib saddr . mark . iif oif missing drop } chain filter_INPUT { type filter hook input priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ct state invalid drop jump filter_INPUT_ZONES reject with icmpx admin-prohibited } chain filter_FORWARD { type filter hook forward priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ct state invalid drop ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable jump filter_FORWARD_ZONES reject with icmpx admin-prohibited } chain filter_OUTPUT { type filter hook output priority filter + 10; policy accept; ct state { established, related } accept oifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable jump filter_OUTPUT_POLICIES_pre jump filter_OUTPUT_POLICIES_post } chain filter_INPUT_POLICIES_pre { jump filter_IN_policy_allow-host-ipv6 } chain filter_INPUT_ZONES { iifname "br0" goto filter_IN_FedoraWorkstation iifname "eth11" goto filter_IN_FedoraWorkstation iifname "eth01" goto filter_IN_FedoraWorkstation iifname "vpn0" goto filter_IN_FedoraWorkstation iifname "ens1f1" goto filter_IN_FedoraWorkstation iifname "docker0" goto filter_IN_docker goto filter_IN_FedoraWorkstation } chain filter_INPUT_POLICIES_post { } chain filter_FORWARD_POLICIES_pre { } chain filter_FORWARD_ZONES { iifname "br0" goto filter_FWD_FedoraWorkstation iifname "eth11" goto filter_FWD_FedoraWorkstation iifname "eth01" goto filter_FWD_FedoraWorkstation iifname "vpn0" goto filter_FWD_FedoraWorkstation iifname "ens1f1" goto filter_FWD_FedoraWorkstation iifname "docker0" goto filter_FWD_docker goto filter_FWD_FedoraWorkstation } chain filter_FORWARD_POLICIES_post { } chain filter_OUTPUT_POLICIES_pre { } chain filter_OUTPUT_POLICIES_post { } chain filter_IN_FedoraWorkstation { jump filter_INPUT_POLICIES_pre jump filter_IN_FedoraWorkstation_pre jump filter_IN_FedoraWorkstation_log jump filter_IN_FedoraWorkstation_deny jump filter_IN_FedoraWorkstation_allow jump filter_IN_FedoraWorkstation_post jump filter_INPUT_POLICIES_post meta l4proto { icmp, ipv6-icmp } accept reject with icmpx admin-prohibited } chain filter_IN_FedoraWorkstation_pre { } chain filter_IN_FedoraWorkstation_log { } chain filter_IN_FedoraWorkstation_deny { } chain filter_IN_FedoraWorkstation_allow { ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept tcp dport 22 ct state { new, untracked } accept udp dport 137 ct helper set "helper-netbios-ns-udp" udp dport 137 ct state { new, untracked } accept udp dport 138 ct state { new, untracked } accept ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept udp dport 1025-65535 ct state { new, untracked } accept tcp dport 1025-65535 ct state { new, untracked } accept } chain filter_IN_FedoraWorkstation_post { } chain nat_POST_FedoraWorkstation { jump nat_POSTROUTING_POLICIES_pre jump nat_POST_FedoraWorkstation_pre jump nat_POST_FedoraWorkstation_log jump nat_POST_FedoraWorkstation_deny jump nat_POST_FedoraWorkstation_allow jump nat_POST_FedoraWorkstation_post jump nat_POSTROUTING_POLICIES_post } chain nat_POST_FedoraWorkstation_pre { } chain nat_POST_FedoraWorkstation_log { } chain nat_POST_FedoraWorkstation_deny { } chain nat_POST_FedoraWorkstation_allow { } chain nat_POST_FedoraWorkstation_post { } chain filter_FWD_FedoraWorkstation { jump filter_FORWARD_POLICIES_pre jump filter_FWD_FedoraWorkstation_pre jump filter_FWD_FedoraWorkstation_log jump filter_FWD_FedoraWorkstation_deny jump filter_FWD_FedoraWorkstation_allow jump filter_FWD_FedoraWorkstation_post jump filter_FORWARD_POLICIES_post reject with icmpx admin-prohibited } chain filter_FWD_FedoraWorkstation_pre { } chain filter_FWD_FedoraWorkstation_log { } chain filter_FWD_FedoraWorkstation_deny { } chain filter_FWD_FedoraWorkstation_allow { } chain filter_FWD_FedoraWorkstation_post { } chain nat_PRE_FedoraWorkstation { jump nat_PREROUTING_POLICIES_pre jump nat_PRE_FedoraWorkstation_pre jump nat_PRE_FedoraWorkstation_log jump nat_PRE_FedoraWorkstation_deny jump nat_PRE_FedoraWorkstation_allow jump nat_PRE_FedoraWorkstation_post jump nat_PREROUTING_POLICIES_post } chain nat_PRE_FedoraWorkstation_pre { } chain nat_PRE_FedoraWorkstation_log { } chain nat_PRE_FedoraWorkstation_deny { } chain nat_PRE_FedoraWorkstation_allow { } chain nat_PRE_FedoraWorkstation_post { } chain mangle_PRE_FedoraWorkstation { jump mangle_PREROUTING_POLICIES_pre jump mangle_PRE_FedoraWorkstation_pre jump mangle_PRE_FedoraWorkstation_log jump mangle_PRE_FedoraWorkstation_deny jump mangle_PRE_FedoraWorkstation_allow jump mangle_PRE_FedoraWorkstation_post jump mangle_PREROUTING_POLICIES_post } chain mangle_PRE_FedoraWorkstation_pre { } chain mangle_PRE_FedoraWorkstation_log { } chain mangle_PRE_FedoraWorkstation_deny { } chain mangle_PRE_FedoraWorkstation_allow { } chain mangle_PRE_FedoraWorkstation_post { } chain filter_IN_policy_allow-host-ipv6 { jump filter_IN_policy_allow-host-ipv6_pre jump filter_IN_policy_allow-host-ipv6_log jump filter_IN_policy_allow-host-ipv6_deny jump filter_IN_policy_allow-host-ipv6_allow jump filter_IN_policy_allow-host-ipv6_post } chain filter_IN_policy_allow-host-ipv6_pre { } chain filter_IN_policy_allow-host-ipv6_log { } chain filter_IN_policy_allow-host-ipv6_deny { } chain filter_IN_policy_allow-host-ipv6_allow { icmpv6 type nd-neighbor-advert accept icmpv6 type nd-neighbor-solicit accept icmpv6 type nd-router-advert accept icmpv6 type nd-redirect accept } chain filter_IN_policy_allow-host-ipv6_post { } chain nat_PRE_policy_allow-host-ipv6 { jump nat_PRE_policy_allow-host-ipv6_pre jump nat_PRE_policy_allow-host-ipv6_log jump nat_PRE_policy_allow-host-ipv6_deny jump nat_PRE_policy_allow-host-ipv6_allow jump nat_PRE_policy_allow-host-ipv6_post } chain nat_PRE_policy_allow-host-ipv6_pre { } chain nat_PRE_policy_allow-host-ipv6_log { } chain nat_PRE_policy_allow-host-ipv6_deny { } chain nat_PRE_policy_allow-host-ipv6_allow { } chain nat_PRE_policy_allow-host-ipv6_post { } chain mangle_PRE_policy_allow-host-ipv6 { jump mangle_PRE_policy_allow-host-ipv6_pre jump mangle_PRE_policy_allow-host-ipv6_log jump mangle_PRE_policy_allow-host-ipv6_deny jump mangle_PRE_policy_allow-host-ipv6_allow jump mangle_PRE_policy_allow-host-ipv6_post } chain mangle_PRE_policy_allow-host-ipv6_pre { } chain mangle_PRE_policy_allow-host-ipv6_log { } chain mangle_PRE_policy_allow-host-ipv6_deny { } chain mangle_PRE_policy_allow-host-ipv6_allow { } chain mangle_PRE_policy_allow-host-ipv6_post { } chain filter_IN_docker { jump filter_INPUT_POLICIES_pre jump filter_IN_docker_pre jump filter_IN_docker_log jump filter_IN_docker_deny jump filter_IN_docker_allow jump filter_IN_docker_post jump filter_INPUT_POLICIES_post accept } chain filter_IN_docker_pre { } chain filter_IN_docker_log { } chain filter_IN_docker_deny { } chain filter_IN_docker_allow { } chain filter_IN_docker_post { } chain nat_POST_docker { jump nat_POSTROUTING_POLICIES_pre jump nat_POST_docker_pre jump nat_POST_docker_log jump nat_POST_docker_deny jump nat_POST_docker_allow jump nat_POST_docker_post jump nat_POSTROUTING_POLICIES_post } chain nat_POST_docker_pre { } chain nat_POST_docker_log { } chain nat_POST_docker_deny { } chain nat_POST_docker_allow { } chain nat_POST_docker_post { } chain filter_FWD_docker { jump filter_FORWARD_POLICIES_pre jump filter_FWD_docker_pre jump filter_FWD_docker_log jump filter_FWD_docker_deny jump filter_FWD_docker_allow jump filter_FWD_docker_post jump filter_FORWARD_POLICIES_post accept } chain filter_FWD_docker_pre { } chain filter_FWD_docker_log { } chain filter_FWD_docker_deny { } chain filter_FWD_docker_allow { oifname "docker0" accept } chain filter_FWD_docker_post { } chain nat_PRE_docker { jump nat_PREROUTING_POLICIES_pre jump nat_PRE_docker_pre jump nat_PRE_docker_log jump nat_PRE_docker_deny jump nat_PRE_docker_allow jump nat_PRE_docker_post jump nat_PREROUTING_POLICIES_post } chain nat_PRE_docker_pre { } chain nat_PRE_docker_log { } chain nat_PRE_docker_deny { } chain nat_PRE_docker_allow { } chain nat_PRE_docker_post { } chain mangle_PRE_docker { jump mangle_PREROUTING_POLICIES_pre jump mangle_PRE_docker_pre jump mangle_PRE_docker_log jump mangle_PRE_docker_deny jump mangle_PRE_docker_allow jump mangle_PRE_docker_post jump mangle_PREROUTING_POLICIES_post } chain mangle_PRE_docker_pre { } chain mangle_PRE_docker_log { } chain mangle_PRE_docker_deny { } chain mangle_PRE_docker_allow { } chain mangle_PRE_docker_post { } } table ip nat { chain DOCKER { iifname "docker0" counter packets 0 bytes 0 return } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 4 bytes 230 masquerade } chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; fib daddr type local counter packets 22340 bytes 10759965 jump DOCKER } chain OUTPUT { type nat hook output priority -100; policy accept; ip daddr != 127.0.0.0/8 fib daddr type local counter packets 42 bytes 3674 jump DOCKER } } table ip filter { chain DOCKER { } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2 counter packets 98 bytes 8062 return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter packets 0 bytes 0 drop counter packets 15 bytes 956 return } chain FORWARD { type filter hook forward priority filter; policy drop; counter packets 98 bytes 8062 jump DOCKER-USER counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept iifname "br0" counter packets 70 bytes 5880 accept counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 iifname "br0" counter packets 0 bytes 0 accept iifname "br0" counter packets 0 bytes 0 accept } chain DOCKER-USER { counter packets 98 bytes 8062 return } }

sudo nft list ruleset

table inet firewalld { ct helper helper-netbios-ns-udp { type "netbios-ns" protocol udp l3proto ip } chain mangle_PREROUTING { type filter hook prerouting priority mangle + 10; policy accept; jump mangle_PREROUTING_ZONES } chain mangle_PREROUTING_POLICIES_pre { jump mangle_PRE_policy_allow-host-ipv6 } chain mangle_PREROUTING_ZONES { iifname "br0" goto mangle_PRE_FedoraWorkstation iifname "eth11" goto mangle_PRE_FedoraWorkstation iifname "eth01" goto mangle_PRE_FedoraWorkstation iifname "vpn0" goto mangle_PRE_FedoraWorkstation iifname "ens1f1" goto mangle_PRE_FedoraWorkstation iifname "docker0" goto mangle_PRE_docker goto mangle_PRE_FedoraWorkstation } chain mangle_PREROUTING_POLICIES_post { } chain nat_PREROUTING { type nat hook prerouting priority dstnat + 10; policy accept; jump nat_PREROUTING_ZONES } chain nat_PREROUTING_POLICIES_pre { jump nat_PRE_policy_allow-host-ipv6 } chain nat_PREROUTING_ZONES { iifname "br0" goto nat_PRE_FedoraWorkstation iifname "eth11" goto nat_PRE_FedoraWorkstation iifname "eth01" goto nat_PRE_FedoraWorkstation iifname "vpn0" goto nat_PRE_FedoraWorkstation iifname "ens1f1" goto nat_PRE_FedoraWorkstation iifname "docker0" goto nat_PRE_docker goto nat_PRE_FedoraWorkstation } chain nat_PREROUTING_POLICIES_post { } chain nat_POSTROUTING { type nat hook postrouting priority srcnat + 10; policy accept; jump nat_POSTROUTING_ZONES } chain nat_POSTROUTING_POLICIES_pre { } chain nat_POSTROUTING_ZONES { oifname "br0" goto nat_POST_FedoraWorkstation oifname "eth11" goto nat_POST_FedoraWorkstation oifname "eth01" goto nat_POST_FedoraWorkstation oifname "vpn0" goto nat_POST_FedoraWorkstation oifname "ens1f1" goto nat_POST_FedoraWorkstation oifname "docker0" goto nat_POST_docker goto nat_POST_FedoraWorkstation } chain nat_POSTROUTING_POLICIES_post { } chain nat_OUTPUT { type nat hook output priority -90; policy accept; jump nat_OUTPUT_POLICIES_pre jump nat_OUTPUT_POLICIES_post } chain nat_OUTPUT_POLICIES_pre { } chain nat_OUTPUT_POLICIES_post { } chain filter_PREROUTING { type filter hook prerouting priority filter + 10; policy accept; icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept meta nfproto ipv6 fib saddr . mark . iif oif missing drop } chain filter_INPUT { type filter hook input priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ct state invalid drop jump filter_INPUT_ZONES reject with icmpx admin-prohibited } chain filter_FORWARD { type filter hook forward priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ct state invalid drop ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable jump filter_FORWARD_ZONES reject with icmpx admin-prohibited } chain filter_OUTPUT { type filter hook output priority filter + 10; policy accept; ct state { established, related } accept oifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable jump filter_OUTPUT_POLICIES_pre jump filter_OUTPUT_POLICIES_post } chain filter_INPUT_POLICIES_pre { jump filter_IN_policy_allow-host-ipv6 } chain filter_INPUT_ZONES { iifname "br0" goto filter_IN_FedoraWorkstation iifname "eth11" goto filter_IN_FedoraWorkstation iifname "eth01" goto filter_IN_FedoraWorkstation iifname "vpn0" goto filter_IN_FedoraWorkstation iifname "ens1f1" goto filter_IN_FedoraWorkstation iifname "docker0" goto filter_IN_docker goto filter_IN_FedoraWorkstation } chain filter_INPUT_POLICIES_post { } chain filter_FORWARD_POLICIES_pre { } chain filter_FORWARD_ZONES { iifname "br0" goto filter_FWD_FedoraWorkstation iifname "eth11" goto filter_FWD_FedoraWorkstation iifname "eth01" goto filter_FWD_FedoraWorkstation iifname "vpn0" goto filter_FWD_FedoraWorkstation iifname "ens1f1" goto filter_FWD_FedoraWorkstation iifname "docker0" goto filter_FWD_docker goto filter_FWD_FedoraWorkstation } chain filter_FORWARD_POLICIES_post { } chain filter_OUTPUT_POLICIES_pre { } chain filter_OUTPUT_POLICIES_post { } chain filter_IN_FedoraWorkstation { jump filter_INPUT_POLICIES_pre jump filter_IN_FedoraWorkstation_pre jump filter_IN_FedoraWorkstation_log jump filter_IN_FedoraWorkstation_deny jump filter_IN_FedoraWorkstation_allow jump filter_IN_FedoraWorkstation_post jump filter_INPUT_POLICIES_post meta l4proto { icmp, ipv6-icmp } accept reject with icmpx admin-prohibited } chain filter_IN_FedoraWorkstation_pre { } chain filter_IN_FedoraWorkstation_log { } chain filter_IN_FedoraWorkstation_deny { } chain filter_IN_FedoraWorkstation_allow { ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept tcp dport 22 ct state { new, untracked } accept udp dport 137 ct helper set "helper-netbios-ns-udp" udp dport 137 ct state { new, untracked } accept udp dport 138 ct state { new, untracked } accept ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept udp dport 1025-65535 ct state { new, untracked } accept tcp dport 1025-65535 ct state { new, untracked } accept } chain filter_IN_FedoraWorkstation_post { } chain nat_POST_FedoraWorkstation { jump nat_POSTROUTING_POLICIES_pre jump nat_POST_FedoraWorkstation_pre jump nat_POST_FedoraWorkstation_log jump nat_POST_FedoraWorkstation_deny jump nat_POST_FedoraWorkstation_allow jump nat_POST_FedoraWorkstation_post jump nat_POSTROUTING_POLICIES_post } chain nat_POST_FedoraWorkstation_pre { } chain nat_POST_FedoraWorkstation_log { } chain nat_POST_FedoraWorkstation_deny { } chain nat_POST_FedoraWorkstation_allow { } chain nat_POST_FedoraWorkstation_post { } chain filter_FWD_FedoraWorkstation { jump filter_FORWARD_POLICIES_pre jump filter_FWD_FedoraWorkstation_pre jump filter_FWD_FedoraWorkstation_log jump filter_FWD_FedoraWorkstation_deny jump filter_FWD_FedoraWorkstation_allow jump filter_FWD_FedoraWorkstation_post jump filter_FORWARD_POLICIES_post reject with icmpx admin-prohibited } chain filter_FWD_FedoraWorkstation_pre { } chain filter_FWD_FedoraWorkstation_log { } chain filter_FWD_FedoraWorkstation_deny { } chain filter_FWD_FedoraWorkstation_allow { } chain filter_FWD_FedoraWorkstation_post { } chain nat_PRE_FedoraWorkstation { jump nat_PREROUTING_POLICIES_pre jump nat_PRE_FedoraWorkstation_pre jump nat_PRE_FedoraWorkstation_log jump nat_PRE_FedoraWorkstation_deny jump nat_PRE_FedoraWorkstation_allow jump nat_PRE_FedoraWorkstation_post jump nat_PREROUTING_POLICIES_post } chain nat_PRE_FedoraWorkstation_pre { } chain nat_PRE_FedoraWorkstation_log { } chain nat_PRE_FedoraWorkstation_deny { } chain nat_PRE_FedoraWorkstation_allow { } chain nat_PRE_FedoraWorkstation_post { } chain mangle_PRE_FedoraWorkstation { jump mangle_PREROUTING_POLICIES_pre jump mangle_PRE_FedoraWorkstation_pre jump mangle_PRE_FedoraWorkstation_log jump mangle_PRE_FedoraWorkstation_deny jump mangle_PRE_FedoraWorkstation_allow jump mangle_PRE_FedoraWorkstation_post jump mangle_PREROUTING_POLICIES_post } chain mangle_PRE_FedoraWorkstation_pre { } chain mangle_PRE_FedoraWorkstation_log { } chain mangle_PRE_FedoraWorkstation_deny { } chain mangle_PRE_FedoraWorkstation_allow { } chain mangle_PRE_FedoraWorkstation_post { } chain filter_IN_policy_allow-host-ipv6 { jump filter_IN_policy_allow-host-ipv6_pre jump filter_IN_policy_allow-host-ipv6_log jump filter_IN_policy_allow-host-ipv6_deny jump filter_IN_policy_allow-host-ipv6_allow jump filter_IN_policy_allow-host-ipv6_post } chain filter_IN_policy_allow-host-ipv6_pre { } chain filter_IN_policy_allow-host-ipv6_log { } chain filter_IN_policy_allow-host-ipv6_deny { } chain filter_IN_policy_allow-host-ipv6_allow { icmpv6 type nd-neighbor-advert accept icmpv6 type nd-neighbor-solicit accept icmpv6 type nd-router-advert accept icmpv6 type nd-redirect accept } chain filter_IN_policy_allow-host-ipv6_post { } chain nat_PRE_policy_allow-host-ipv6 { jump nat_PRE_policy_allow-host-ipv6_pre jump nat_PRE_policy_allow-host-ipv6_log jump nat_PRE_policy_allow-host-ipv6_deny jump nat_PRE_policy_allow-host-ipv6_allow jump nat_PRE_policy_allow-host-ipv6_post } chain nat_PRE_policy_allow-host-ipv6_pre { } chain nat_PRE_policy_allow-host-ipv6_log { } chain nat_PRE_policy_allow-host-ipv6_deny { } chain nat_PRE_policy_allow-host-ipv6_allow { } chain nat_PRE_policy_allow-host-ipv6_post { } chain mangle_PRE_policy_allow-host-ipv6 { jump mangle_PRE_policy_allow-host-ipv6_pre jump mangle_PRE_policy_allow-host-ipv6_log jump mangle_PRE_policy_allow-host-ipv6_deny jump mangle_PRE_policy_allow-host-ipv6_allow jump mangle_PRE_policy_allow-host-ipv6_post } chain mangle_PRE_policy_allow-host-ipv6_pre { } chain mangle_PRE_policy_allow-host-ipv6_log { } chain mangle_PRE_policy_allow-host-ipv6_deny { } chain mangle_PRE_policy_allow-host-ipv6_allow { } chain mangle_PRE_policy_allow-host-ipv6_post { } chain filter_IN_docker { jump filter_INPUT_POLICIES_pre jump filter_IN_docker_pre jump filter_IN_docker_log jump filter_IN_docker_deny jump filter_IN_docker_allow jump filter_IN_docker_post jump filter_INPUT_POLICIES_post accept } chain filter_IN_docker_pre { } chain filter_IN_docker_log { } chain filter_IN_docker_deny { } chain filter_IN_docker_allow { } chain filter_IN_docker_post { } chain nat_POST_docker { jump nat_POSTROUTING_POLICIES_pre jump nat_POST_docker_pre jump nat_POST_docker_log jump nat_POST_docker_deny jump nat_POST_docker_allow jump nat_POST_docker_post jump nat_POSTROUTING_POLICIES_post } chain nat_POST_docker_pre { } chain nat_POST_docker_log { } chain nat_POST_docker_deny { } chain nat_POST_docker_allow { } chain nat_POST_docker_post { } chain filter_FWD_docker { jump filter_FORWARD_POLICIES_pre jump filter_FWD_docker_pre jump filter_FWD_docker_log jump filter_FWD_docker_deny jump filter_FWD_docker_allow jump filter_FWD_docker_post jump filter_FORWARD_POLICIES_post accept } chain filter_FWD_docker_pre { } chain filter_FWD_docker_log { } chain filter_FWD_docker_deny { } chain filter_FWD_docker_allow { oifname "docker0" accept } chain filter_FWD_docker_post { } chain nat_PRE_docker { jump nat_PREROUTING_POLICIES_pre jump nat_PRE_docker_pre jump nat_PRE_docker_log jump nat_PRE_docker_deny jump nat_PRE_docker_allow jump nat_PRE_docker_post jump nat_PREROUTING_POLICIES_post } chain nat_PRE_docker_pre { } chain nat_PRE_docker_log { } chain nat_PRE_docker_deny { } chain nat_PRE_docker_allow { } chain nat_PRE_docker_post { } chain mangle_PRE_docker { jump mangle_PREROUTING_POLICIES_pre jump mangle_PRE_docker_pre jump mangle_PRE_docker_log jump mangle_PRE_docker_deny jump mangle_PRE_docker_allow jump mangle_PRE_docker_post jump mangle_PREROUTING_POLICIES_post } chain mangle_PRE_docker_pre { } chain mangle_PRE_docker_log { } chain mangle_PRE_docker_deny { } chain mangle_PRE_docker_allow { } chain mangle_PRE_docker_post { } } table ip nat { chain DOCKER { iifname "docker0" counter packets 0 bytes 0 return } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 4 bytes 230 masquerade } chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; fib daddr type local counter packets 22340 bytes 10759965 jump DOCKER } chain OUTPUT { type nat hook output priority -100; policy accept; ip daddr != 127.0.0.0/8 fib daddr type local counter packets 42 bytes 3674 jump DOCKER } } table ip filter { chain DOCKER { } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2 counter packets 98 bytes 8062 return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter packets 0 bytes 0 drop counter packets 15 bytes 956 return } chain FORWARD { type filter hook forward priority filter; policy drop; counter packets 98 bytes 8062 jump DOCKER-USER counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept iifname "br0" counter packets 70 bytes 5880 accept counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 iifname "br0" counter packets 0 bytes 0 accept iifname "br0" counter packets 0 bytes 0 accept } chain DOCKER-USER { counter packets 98 bytes 8062 return } }

Source Link

asked Mar 22, 2023 at 21:45

DmitrySemenov

packets are filtered via bridge using namespaced network card

trying to make local networking experiment, and unable to ping from within the namespaced network.

I'm using Fedora 37.

Linux dmitry-desktop 6.1.18-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Mar 11 16:09:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

I'm getting the following error

➜ sudo ip netns exec netns-test0 ping 10.10.10.11 PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data. From 10.10.10.1 icmp_seq=1 Packet filtered From 10.10.10.1 icmp_seq=2 Packet filtered From 10.10.10.1 icmp_seq=3 Packet filtered

setup

➜ sudo ip netns add netns-test0 ➜ sudo ip netns add netns-test1 ➜ ls -la /var/run/netns total 0 drwxr-xr-x. 2 root root 80 Mar 22 13:42 . drwxr-xr-x. 63 root root 1.7K Mar 22 12:55 .. -r--r--r--. 1 root root 0 Mar 22 13:42 netns-test0 -r--r--r--. 1 root root 0 Mar 22 13:42 netns-test1 ➜ sudo ip link add eth00 type veth peer name eth01 ➜ sudo ip link add eth10 type veth peer name eth11 ➜ sudo ip link set eth00 up ➜ sudo ip link set eth01 up ➜ sudo ip link set eth01 netns netns-test0 ➜ sudo ip link set eth11 netns netns-test1 ➜ sudo ip netns exec netns-test0 ip link set lo up ➜ sudo ip netns exec netns-test0 ip link set eth01 up ➜ sudo ip netns exec netns-test0 ip addr 10.10.10.10/24 dev eth01 Command "10.10.10.10/24" is unknown, try "ip address help". ➜ sudo ip netns exec netns-test0 ip addr add 10.10.10.10/24 dev eth01 ➜ sudo ip netns exec netns-test1 ip link set lo up ➜ sudo ip netns exec netns-test1 ip link set eth11 up ➜ sudo ip netns exec netns-test1 ip addr add 10.10.10.11/24 dev eth11 ➜ sudo ip link add name br0 type bridge ➜ sudo ip addr add 10.10.10.1/24 brd + dev br0 ➜ sudo ip link set br0 up ➜ sudo ip link set eth00 master br0 ➜ sudo ip link set eth10 master br0 ➜ sudo bridge link show br0 20: eth00@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 2 22: eth10@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 2 ➜ sudo iptables -A FORWARD -i br0 -j ACCEPT ➜ sudo ip link set eth00 master br0

so from the root namespace I can ping all devices and br0.

➜ ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.038 ms 64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.057 ms ➜ ping 10.10.10.10 PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data. 64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.047 ms 64 bytes from 10.10.10.10: icmp_seq=2 ttl=64 time=0.060 ms ➜ ping 10.10.10.11 PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data. 64 bytes from 10.10.10.11: icmp_seq=1 ttl=64 time=0.049 ms 64 bytes from 10.10.10.11: icmp_seq=2 ttl=64 time=0.053 ms

but if I start pings from within the namespaced network - I get packet filtered.

➜ sudo ip netns exec netns-test0 ping 10.10.10.10 PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data. 64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.021 ms ➜ sudo ip netns exec netns-test0 ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.063 ms 64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.070 ms ➜ sudo ip netns exec netns-test0 ping 10.10.10.11 PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data. From 10.10.10.1 icmp_seq=1 Packet filtered From 10.10.10.1 icmp_seq=2 Packet filtered From 10.10.10.1 icmp_seq=3 Packet filtered ➜ sudo ip netns exec netns-test1 ping 10.10.10.11 PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data. 64 bytes from 10.10.10.11: icmp_seq=1 ttl=64 time=0.018 ms 64 bytes from 10.10.10.11: icmp_seq=2 ttl=64 time=0.033 ms 64 bytes from 10.10.10.11: icmp_seq=3 ttl=64 time=0.036 ms ➜ sudo ip netns exec netns-test1 ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.061 ms 64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.075 ms 64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=0.075 ms took 2s ➜ sudo ip netns exec netns-test1 ping 10.10.10.10 PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data. From 10.10.10.1 icmp_seq=1 Packet filtered From 10.10.10.1 icmp_seq=2 Packet filtered From 10.10.10.1 icmp_seq=3 Packet filtered From 10.10.10.1 icmp_seq=4 Packet filtered took 3s ✗ sudo ip netns exec netns-test1 ping 8.8.8.8 ping: connect: Network is unreachable ➜ sudo ip netns exec netns-test0 ping 8.8.8.8 ping: connect: Network is unreachable ➜ sudo ip -all netns exec ip route netns: netns-test1 10.10.10.0/24 dev eth11 proto kernel scope link src 10.10.10.11 netns: netns-test0 10.10.10.0/24 dev eth01 proto kernel scope link src 10.10.10.10 ➜ sudo ip -all netns exec ip route add default via 10.10.10.1 netns: netns-test1 netns: netns-test0 ➜ sudo ip -all netns exec ip route netns: netns-test1 default via 10.10.10.1 dev eth11 10.10.10.0/24 dev eth11 proto kernel scope link src 10.10.10.11 netns: netns-test0 default via 10.10.10.1 dev eth01 10.10.10.0/24 dev eth01 proto kernel scope link src 10.10.10.10 ➜ sudo ip netns exec netns-test0 ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. From 10.10.10.1 icmp_seq=1 Packet filtered From 10.10.10.1 icmp_seq=2 Packet filtered From 10.10.10.1 icmp_seq=3 Packet filtered

my iptables config

➜ _ iptables -L -n -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 95 7810 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 95 7810 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 13 1226 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 15 956 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 67 5628 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (1 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 15 956 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 95 7810 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 15 956 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 95 7810 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

firewalld:

➜ firewall-cmd --list-all FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: br0 ens1f1 eth01 eth11 vpn0 sources: services: dhcpv6-client mdns samba-client ssh ports: 1025-65535/udp 1025-65535/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: