我只想问一个关于 Docker Compose 的简短问题。我的服务器上安装了 Nftables 防火墙,并且对于输入和转发链,加载了默认的丢弃策略。到目前为止,一切都一直正常,但今天我想安装 NginX 代理管理器,但当我登录时,我收到“坏网关”错误。我认为 Docker-Compose 容器(MySQL 和 Nginx)由于 NFT 而无法相互通信。没有防火墙,一切都很顺利。我现在想知道如何解决问题或我需要什么 nft 规则。以下是我的 nft 配置。wg 代表 WireGuard。
谢谢乔纳森:)
table inet basic-filter {
chain input {
type filter hook input priority 0; policy drop;
ct state { established, related } accept
iif lo accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
meta l4proto ipv6-icmp accept
iif $pub_iface tcp dport 51829 accept
iif $pub_iface udp dport $wg_port accept
iifname $wg_iface accept
ct state invalid drop
reject
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state { established, related } accept
iifname $wg_iface ip saddr 10.212.0.0/16 ip daddr 10.212.0.0/16 oifname $wg_iface accept
iifname $wg_iface oifname $pub_iface accept
ct state invalid drop
reject with icmpx type host-unreachable
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
iifname $wg_iface oifname $pub_iface masquerade
}