如何在 Ubuntu 22.04 LTS 中配置持久防火墙设置 - 对 ufw、nfw 和 iptables（-nfw/-legacy）感到困惑

总结：如何配置防火墙规则以使其持久？我没有使用 UFW，我相信我正在使用iptables-nft。

首先，我有

• 从最近的 vanilla Ubuntu 22.04LTS 安装开始（添加了一些杂项工具）
• 使用 apt 包安装 Docker (repohttps://download.docker.com/linux/ubuntu）
• 使用 snap 安装 LXD

有些已知的防火墙问题Docker 和 LXD 共存，但我想同时使用它们，据我所知两者都应该可以实现，而且这在我之前的主机（Ubuntu 18）上确实有效。

开箱即用的 Docker 网络可以工作，但 LXD 却不能，iptables 命令显示了这种防火墙配置：

sudo iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain DOCKER (1 references)
target     prot opt source               destination         
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere 

和

sudo iptables-legacy -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

“警告：iptables-legacy 表存在”有点令人担忧，但我无法确定这是否是我需要修复的问题。目前我还没有自己进行任何防火墙定制。

我通过添加这些规则修复了 LXD（最后一条规则使其不那么开放）

sudo iptables -I DOCKER-USER -o lxdbr0 -j ACCEPT
sudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT
sudo iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP

但现在我不知道如何使它们永久存在。

有 /etc/nftables.conf，但只有这个空白配置

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

当我执行时nft list ruleset，有很多与 Docker 和 LXD 相关的配置显然不是来自nftables.conf，而且我不知道它是否应该是动态的，并且由其他东西而不是我手动编辑 nftables.conf 文件进行配置。

所以现在我创建了一个脚本setup-lxd-networking.sh来执行我手动运行的那些 iptables -I 命令，但这不是很好。

sudo nft list ruleset
...
table ip filter {
    chain DOCKER {
    }

    chain DOCKER-ISOLATION-STAGE-1 {
        iifname "docker0" oifname != "docker0" counter packets 18 bytes 1393 jump DOCKER-ISOLATION-STAGE-2
        counter packets 181 bytes 18684 return
    }

    chain DOCKER-ISOLATION-STAGE-2 {
        oifname "docker0" counter packets 0 bytes 0 drop
        counter packets 18 bytes 1393 return
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
        counter packets 209 bytes 35269 jump DOCKER-USER
        counter packets 181 bytes 18684 jump DOCKER-ISOLATION-STAGE-1
        oifname "docker0" ct state related,established counter packets 14 bytes 8351 accept
        oifname "docker0" counter packets 0 bytes 0 jump DOCKER
        iifname "docker0" oifname != "docker0" counter packets 18 bytes 1393 accept
        iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
    }

    chain DOCKER-USER {
        iifname "ext_if" ip saddr != 192.168.1.0/24 counter packets 0 bytes 0 drop
        iifname "lxdbr0" counter packets 15 bytes 866 accept
        oifname "lxdbr0" counter packets 13 bytes 15719 accept
        counter packets 181 bytes 18684 return
    }
}
table inet lxd {
    chain pstrt.lxdbr0 {
        type nat hook postrouting priority srcnat; policy accept;
        ip saddr 10.5.62.0/24 ip daddr != 10.5.62.0/24 masquerade
        ip6 saddr fd42:dbed:893c:1f91::/64 ip6 daddr != fd42:dbed:893c:1f91::/64 masquerade
    }

    chain fwd.lxdbr0 {
        type filter hook forward priority filter; policy accept;
        ip version 4 oifname "lxdbr0" accept
        ip version 4 iifname "lxdbr0" accept
        ip6 version 6 oifname "lxdbr0" accept
        ip6 version 6 iifname "lxdbr0" accept
    }

    chain in.lxdbr0 {
        type filter hook input priority filter; policy accept;
        iifname "lxdbr0" tcp dport 53 accept
        iifname "lxdbr0" udp dport 53 accept
        iifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
        iifname "lxdbr0" udp dport 67 accept
        iifname "lxdbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
        iifname "lxdbr0" udp dport 547 accept
    }

    chain out.lxdbr0 {
        type filter hook output priority filter; policy accept;
        oifname "lxdbr0" tcp sport 53 accept
        oifname "lxdbr0" udp sport 53 accept
        oifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
        oifname "lxdbr0" udp sport 67 accept
        oifname "lxdbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
        oifname "lxdbr0" udp sport 547 accept
    }
}