nginx 本地反向代理与firewalld

我正在 Docker 容器上运行一项服务。该服务在给定端口（例如 12345）上公开。

在它上面我添加了一个 nginx 反向代理来获得额外的功能，比如 HTTPS 和 HTTP/2。

nginx配置如下：

worker_processes auto;

http {
    sendfile        on;

    gzip  on;

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl ipv6only=on http2;
        
        server_name example.com

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot        

        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;

            proxy_pass http://localhost:12345/;

            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }
}

没有任何防火墙，它可以正常工作（我可以通过端口 443 和端口 12345 访问 LAN 上的服务）。

我已经使用 nftables 后端的防火墙配置如下：

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-06ceff0ffa49 docker0
  sources: 
  services: 
  ports: 12345/tcp 12345/udp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 wlan0
  sources: 
  services: http https ssh
  ports: 12345/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources: 
  services: 
  ports: 12345/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

当我尝试从具有此配置的 LAN 上的 PC 访问该服务时，我可以直接通过端口 12345 访问它，但如果我尝试通过 nginx 访问它，则会出现超时。

我的感觉是，firewalld 阻止了 nginx 与容器交换数据，但我不知道我缺少什么才能让它工作。

我可能遗漏了什么？