Eaton:/home/eaton # nft list ruleset table inet firewalld { ct helper helper-netbios-ns-udp { type "netbios-ns" protocol udp l3proto ip } chain mangle_PREROUTING { type filter hook prerouting priority mangle + 10; policy accept; jump mangle_PREROUTING_POLICIES } chain mangle_PREROUTING_POLICIES { iifname "docker0" jump mangle_PRE_policy_allow-host-ipv6 iifname "docker0" jump mangle_PRE_docker iifname "docker0" return iifname "eth0" jump mangle_PRE_policy_allow-host-ipv6 iifname "eth0" jump mangle_PRE_home iifname "eth0" return iifname "wlp2s0" jump mangle_PRE_policy_allow-host-ipv6 iifname "wlp2s0" jump mangle_PRE_public iifname "wlp2s0" return jump mangle_PRE_policy_allow-host-ipv6 jump mangle_PRE_public return } chain nat_PREROUTING { type nat hook prerouting priority dstnat + 10; policy accept; jump nat_PREROUTING_POLICIES } chain nat_PREROUTING_POLICIES { iifname "docker0" jump nat_PRE_policy_allow-host-ipv6 iifname "docker0" jump nat_PRE_docker iifname "docker0" return iifname "eth0" jump nat_PRE_policy_allow-host-ipv6 iifname "eth0" jump nat_PRE_home iifname "eth0" return iifname "wlp2s0" jump nat_PRE_policy_allow-host-ipv6 iifname "wlp2s0" jump nat_PRE_public iifname "wlp2s0" return jump nat_PRE_policy_allow-host-ipv6 jump nat_PRE_public return } chain nat_POSTROUTING { type nat hook postrouting priority srcnat + 10; policy accept; jump nat_POSTROUTING_POLICIES } chain nat_POSTROUTING_POLICIES { iifname "docker0" oifname "docker0" jump nat_POST_docker iifname "docker0" oifname "docker0" return iifname "eth0" oifname "docker0" jump nat_POST_docker iifname "eth0" oifname "docker0" return iifname "wlp2s0" oifname "docker0" jump nat_POST_docker iifname "wlp2s0" oifname "docker0" return oifname "docker0" jump nat_POST_docker oifname "docker0" return iifname "docker0" oifname "eth0" jump nat_POST_home iifname "docker0" oifname "eth0" return iifname "eth0" oifname "eth0" jump nat_POST_home iifname "eth0" oifname "eth0" return iifname "wlp2s0" oifname "eth0" jump nat_POST_home iifname "wlp2s0" oifname "eth0" return oifname "eth0" jump nat_POST_home oifname "eth0" return iifname "docker0" oifname "wlp2s0" jump nat_POST_public iifname "docker0" oifname "wlp2s0" return iifname "eth0" oifname "wlp2s0" jump nat_POST_public iifname "eth0" oifname "wlp2s0" return iifname "wlp2s0" oifname "wlp2s0" jump nat_POST_public iifname "wlp2s0" oifname "wlp2s0" return oifname "wlp2s0" jump nat_POST_public oifname "wlp2s0" return iifname "docker0" jump nat_POST_public iifname "docker0" return iifname "eth0" jump nat_POST_public iifname "eth0" return iifname "wlp2s0" jump nat_POST_public iifname "wlp2s0" return jump nat_POST_public return } chain nat_OUTPUT { type nat hook output priority dstnat + 10; policy accept; jump nat_OUTPUT_POLICIES } chain nat_OUTPUT_POLICIES { oifname "docker0" jump nat_OUT_docker oifname "docker0" return oifname "eth0" jump nat_OUT_home oifname "eth0" return oifname "wlp2s0" jump nat_OUT_public oifname "wlp2s0" return jump nat_OUT_public return } chain filter_PREROUTING { type filter hook prerouting priority filter + 10; policy accept; icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept meta nfproto ipv6 fib saddr . mark . iif oif missing drop } chain filter_INPUT { type filter hook input priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ct state invalid drop jump filter_INPUT_POLICIES reject with icmpx admin-prohibited } chain filter_FORWARD { type filter hook forward priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ct state invalid drop ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable jump filter_FORWARD_POLICIES reject with icmpx admin-prohibited } chain filter_OUTPUT { type filter hook output priority filter + 10; policy accept; ct state { established, related } accept oifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable jump filter_OUTPUT_POLICIES } chain filter_INPUT_POLICIES { iifname "docker0" jump filter_IN_policy_allow-host-ipv6 iifname "docker0" jump filter_IN_docker iifname "docker0" accept iifname "eth0" jump filter_IN_policy_allow-host-ipv6 iifname "eth0" jump filter_IN_home iifname "eth0" reject with icmpx admin-prohibited iifname "wlp2s0" jump filter_IN_policy_allow-host-ipv6 iifname "wlp2s0" jump filter_IN_public iifname "wlp2s0" reject with icmpx admin-prohibited jump filter_IN_policy_allow-host-ipv6 jump filter_IN_public reject with icmpx admin-prohibited } chain filter_FORWARD_POLICIES { iifname "docker0" oifname "docker0" jump filter_FWD_docker iifname "docker0" oifname "docker0" accept iifname "docker0" oifname "eth0" jump filter_FWD_docker iifname "docker0" oifname "eth0" accept iifname "docker0" oifname "wlp2s0" jump filter_FWD_docker iifname "docker0" oifname "wlp2s0" accept iifname "docker0" jump filter_FWD_docker iifname "docker0" accept iifname "eth0" oifname "docker0" jump filter_FWD_home iifname "eth0" oifname "docker0" reject with icmpx admin-prohibited iifname "eth0" oifname "eth0" jump filter_FWD_home iifname "eth0" oifname "eth0" reject with icmpx admin-prohibited iifname "eth0" oifname "wlp2s0" jump filter_FWD_home iifname "eth0" oifname "wlp2s0" reject with icmpx admin-prohibited iifname "eth0" jump filter_FWD_home iifname "eth0" reject with icmpx admin-prohibited iifname "wlp2s0" oifname "docker0" jump filter_FWD_public iifname "wlp2s0" oifname "docker0" reject with icmpx admin-prohibited iifname "wlp2s0" oifname "eth0" jump filter_FWD_public iifname "wlp2s0" oifname "eth0" reject with icmpx admin-prohibited iifname "wlp2s0" oifname "wlp2s0" jump filter_FWD_public iifname "wlp2s0" oifname "wlp2s0" reject with icmpx admin-prohibited iifname "wlp2s0" jump filter_FWD_public iifname "wlp2s0" reject with icmpx admin-prohibited oifname "docker0" jump filter_FWD_public oifname "docker0" reject with icmpx admin-prohibited oifname "eth0" jump filter_FWD_public oifname "eth0" reject with icmpx admin-prohibited oifname "wlp2s0" jump filter_FWD_public oifname "wlp2s0" reject with icmpx admin-prohibited jump filter_FWD_public reject with icmpx admin-prohibited } chain filter_OUTPUT_POLICIES { oifname "docker0" jump filter_OUT_docker oifname "docker0" return oifname "eth0" jump filter_OUT_home oifname "eth0" return oifname "wlp2s0" jump filter_OUT_public oifname "wlp2s0" return jump filter_OUT_public return } chain filter_IN_public { jump filter_IN_public_pre jump filter_IN_public_log jump filter_IN_public_deny jump filter_IN_public_allow jump filter_IN_public_post meta l4proto { icmp, ipv6-icmp } accept } chain filter_IN_public_pre { } chain filter_IN_public_log { } chain filter_IN_public_deny { } chain filter_IN_public_allow { tcp dport 22 accept ip6 daddr fe80::/64 udp dport 546 accept tcp dport 5432 accept } chain filter_IN_public_post { } chain filter_OUT_public { jump filter_OUT_public_pre jump filter_OUT_public_log jump filter_OUT_public_deny jump filter_OUT_public_allow jump filter_OUT_public_post } chain filter_OUT_public_pre { } chain filter_OUT_public_log { } chain filter_OUT_public_deny { } chain filter_OUT_public_allow { } chain filter_OUT_public_post { } chain nat_OUT_public { jump nat_OUT_public_pre jump nat_OUT_public_log jump nat_OUT_public_deny jump nat_OUT_public_allow jump nat_OUT_public_post } chain nat_OUT_public_pre { } chain nat_OUT_public_log { } chain nat_OUT_public_deny { } chain nat_OUT_public_allow { } chain nat_OUT_public_post { } chain nat_POST_public { jump nat_POST_public_pre jump nat_POST_public_log jump nat_POST_public_deny jump nat_POST_public_allow jump nat_POST_public_post } chain nat_POST_public_pre { } chain nat_POST_public_log { } chain nat_POST_public_deny { } chain nat_POST_public_allow { } chain nat_POST_public_post { } chain filter_FWD_public { jump filter_FWD_public_pre jump filter_FWD_public_log jump filter_FWD_public_deny jump filter_FWD_public_allow jump filter_FWD_public_post } chain filter_FWD_public_pre { } chain filter_FWD_public_log { } chain filter_FWD_public_deny { } chain filter_FWD_public_allow { oifname "wlp2s0" accept } chain filter_FWD_public_post { } chain nat_PRE_public { jump nat_PRE_public_pre jump nat_PRE_public_log jump nat_PRE_public_deny jump nat_PRE_public_allow jump nat_PRE_public_post } chain nat_PRE_public_pre { } chain nat_PRE_public_log { } chain nat_PRE_public_deny { } chain nat_PRE_public_allow { } chain nat_PRE_public_post { } chain mangle_PRE_public { jump mangle_PRE_public_pre jump mangle_PRE_public_log jump mangle_PRE_public_deny jump mangle_PRE_public_allow jump mangle_PRE_public_post } chain mangle_PRE_public_pre { } chain mangle_PRE_public_log { } chain mangle_PRE_public_deny { } chain mangle_PRE_public_allow { } chain mangle_PRE_public_post { } chain filter_IN_docker { jump filter_IN_docker_pre jump filter_IN_docker_log jump filter_IN_docker_deny jump filter_IN_docker_allow jump filter_IN_docker_post } chain filter_IN_docker_pre { } chain filter_IN_docker_log { } chain filter_IN_docker_deny { } chain filter_IN_docker_allow { } chain filter_IN_docker_post { } chain filter_OUT_docker { jump filter_OUT_docker_pre jump filter_OUT_docker_log jump filter_OUT_docker_deny jump filter_OUT_docker_allow jump filter_OUT_docker_post } chain filter_OUT_docker_pre { } chain filter_OUT_docker_log { } chain filter_OUT_docker_deny { } chain filter_OUT_docker_allow { } chain filter_OUT_docker_post { } chain nat_OUT_docker { jump nat_OUT_docker_pre jump nat_OUT_docker_log jump nat_OUT_docker_deny jump nat_OUT_docker_allow jump nat_OUT_docker_post } chain nat_OUT_docker_pre { } chain nat_OUT_docker_log { } chain nat_OUT_docker_deny { } chain nat_OUT_docker_allow { } chain nat_OUT_docker_post { } chain nat_POST_docker { jump nat_POST_docker_pre jump nat_POST_docker_log jump nat_POST_docker_deny jump nat_POST_docker_allow jump nat_POST_docker_post } chain nat_POST_docker_pre { } chain nat_POST_docker_log { } chain nat_POST_docker_deny { } chain nat_POST_docker_allow { } chain nat_POST_docker_post { } chain filter_FWD_docker { jump filter_FWD_docker_pre jump filter_FWD_docker_log jump filter_FWD_docker_deny jump filter_FWD_docker_allow jump filter_FWD_docker_post } chain filter_FWD_docker_pre { } chain filter_FWD_docker_log { } chain filter_FWD_docker_deny { } chain filter_FWD_docker_allow { } chain filter_FWD_docker_post { } chain nat_PRE_docker { jump nat_PRE_docker_pre jump nat_PRE_docker_log jump nat_PRE_docker_deny jump nat_PRE_docker_allow jump nat_PRE_docker_post } chain nat_PRE_docker_pre { } chain nat_PRE_docker_log { } chain nat_PRE_docker_deny { } chain nat_PRE_docker_allow { } chain nat_PRE_docker_post { } chain mangle_PRE_docker { jump mangle_PRE_docker_pre jump mangle_PRE_docker_log jump mangle_PRE_docker_deny jump mangle_PRE_docker_allow jump mangle_PRE_docker_post } chain mangle_PRE_docker_pre { } chain mangle_PRE_docker_log { } chain mangle_PRE_docker_deny { } chain mangle_PRE_docker_allow { } chain mangle_PRE_docker_post { } chain filter_IN_policy_allow-host-ipv6 { jump filter_IN_policy_allow-host-ipv6_pre jump filter_IN_policy_allow-host-ipv6_log jump filter_IN_policy_allow-host-ipv6_deny jump filter_IN_policy_allow-host-ipv6_allow jump filter_IN_policy_allow-host-ipv6_post } chain filter_IN_policy_allow-host-ipv6_pre { } chain filter_IN_policy_allow-host-ipv6_log { } chain filter_IN_policy_allow-host-ipv6_deny { } chain filter_IN_policy_allow-host-ipv6_allow { icmpv6 type nd-neighbor-advert accept icmpv6 type nd-neighbor-solicit accept icmpv6 type nd-router-advert accept icmpv6 type nd-redirect accept } chain filter_IN_policy_allow-host-ipv6_post { } chain nat_PRE_policy_allow-host-ipv6 { jump nat_PRE_policy_allow-host-ipv6_pre jump nat_PRE_policy_allow-host-ipv6_log jump nat_PRE_policy_allow-host-ipv6_deny jump nat_PRE_policy_allow-host-ipv6_allow jump nat_PRE_policy_allow-host-ipv6_post } chain nat_PRE_policy_allow-host-ipv6_pre { } chain nat_PRE_policy_allow-host-ipv6_log { } chain nat_PRE_policy_allow-host-ipv6_deny { } chain nat_PRE_policy_allow-host-ipv6_allow { } chain nat_PRE_policy_allow-host-ipv6_post { } chain mangle_PRE_policy_allow-host-ipv6 { jump mangle_PRE_policy_allow-host-ipv6_pre jump mangle_PRE_policy_allow-host-ipv6_log jump mangle_PRE_policy_allow-host-ipv6_deny jump mangle_PRE_policy_allow-host-ipv6_allow jump mangle_PRE_policy_allow-host-ipv6_post } chain mangle_PRE_policy_allow-host-ipv6_pre { } chain mangle_PRE_policy_allow-host-ipv6_log { } chain mangle_PRE_policy_allow-host-ipv6_deny { } chain mangle_PRE_policy_allow-host-ipv6_allow { } chain mangle_PRE_policy_allow-host-ipv6_post { } chain filter_IN_home { jump filter_IN_home_pre jump filter_IN_home_log jump filter_IN_home_deny jump filter_IN_home_allow jump filter_IN_home_post meta l4proto { icmp, ipv6-icmp } accept } chain filter_IN_home_pre { } chain filter_IN_home_log { } chain filter_IN_home_deny { } chain filter_IN_home_allow { tcp dport 22 accept ip daddr 224.0.0.251 udp dport 5353 accept ip6 daddr ff02::fb udp dport 5353 accept udp dport 137 ct helper set "helper-netbios-ns-udp" udp dport 137 accept udp dport 138 accept ip6 daddr fe80::/64 udp dport 546 accept tcp dport 5432 accept udp dport 5432 accept } chain filter_IN_home_post { } chain filter_OUT_home { jump filter_OUT_home_pre jump filter_OUT_home_log jump filter_OUT_home_deny jump filter_OUT_home_allow jump filter_OUT_home_post } chain filter_OUT_home_pre { } chain filter_OUT_home_log { } chain filter_OUT_home_deny { } chain filter_OUT_home_allow { } chain filter_OUT_home_post { } chain nat_OUT_home { jump nat_OUT_home_pre jump nat_OUT_home_log jump nat_OUT_home_deny jump nat_OUT_home_allow jump nat_OUT_home_post } chain nat_OUT_home_pre { } chain nat_OUT_home_log { } chain nat_OUT_home_deny { } chain nat_OUT_home_allow { } chain nat_OUT_home_post { } chain nat_POST_home { jump nat_POST_home_pre jump nat_POST_home_log jump nat_POST_home_deny jump nat_POST_home_allow jump nat_POST_home_post } chain nat_POST_home_pre { } chain nat_POST_home_log { } chain nat_POST_home_deny { } chain nat_POST_home_allow { } chain nat_POST_home_post { } chain filter_FWD_home { jump filter_FWD_home_pre jump filter_FWD_home_log jump filter_FWD_home_deny jump filter_FWD_home_allow jump filter_FWD_home_post } chain filter_FWD_home_pre { } chain filter_FWD_home_log { } chain filter_FWD_home_deny { } chain filter_FWD_home_allow { oifname "eth0" accept } chain filter_FWD_home_post { } chain nat_PRE_home { jump nat_PRE_home_pre jump nat_PRE_home_log jump nat_PRE_home_deny jump nat_PRE_home_allow jump nat_PRE_home_post } chain nat_PRE_home_pre { } chain nat_PRE_home_log { } chain nat_PRE_home_deny { } chain nat_PRE_home_allow { } chain nat_PRE_home_post { } chain mangle_PRE_home { jump mangle_PRE_home_pre jump mangle_PRE_home_log jump mangle_PRE_home_deny jump mangle_PRE_home_allow jump mangle_PRE_home_post } chain mangle_PRE_home_pre { } chain mangle_PRE_home_log { } chain mangle_PRE_home_deny { } chain mangle_PRE_home_allow { } chain mangle_PRE_home_post { } } # Warning: table ip nat is managed by iptables-nft, do not touch! table ip nat { chain DOCKER { iifname "docker0" counter packets 0 bytes 0 return } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; ip saddr 172.17.0.0/16 oifname != "docker0" counter packets 0 bytes 0 xt target "MASQUERADE" } chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; xt match "addrtype" counter packets 4875 bytes 266646 jump DOCKER } chain OUTPUT { type nat hook output priority dstnat; policy accept; ip daddr != 127.0.0.0/8 xt match "addrtype" counter packets 0 bytes 0 jump DOCKER } } # Warning: table ip filter is managed by iptables-nft, do not touch! table ip filter { chain DOCKER { } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 counter packets 0 bytes 0 return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter packets 0 bytes 0 drop counter packets 0 bytes 0 return } chain FORWARD { type filter hook forward priority filter; policy drop; counter packets 0 bytes 0 jump DOCKER-USER counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" xt match "conntrack" counter packets 0 bytes 0 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept } chain DOCKER-USER { counter packets 0 bytes 0 return } }