Hello I find the reason about why I was not able to access to my docker portainer or pi-hole via http/https.
typing: sudo nano /etc/nftables.conf
-I access to firewall rules, before installing docker portainer I was define a hardened rules, following the instructions of Sun Kudsen blog:
-Enable nftables
systemctl enable nftables
systemctl start nftables
-Configure firewall rules
nft flush ruleset
nft add table ip firewall
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
nft add rule ip firewall input iif lo accept
nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop
nft add rule ip firewall input tcp dport ssh accept
nft add rule ip firewall input ct state established,related accept
nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; }
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
nft add rule ip firewall output oif lo accept
nft add rule ip firewall output tcp dport { http, https } accept
nft add rule ip firewall output udp dport { domain, ntp } accept
nft add rule ip firewall output ct state established,related accept
make firewall rules persistent
cat << "EOF" > /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
EOF
nft list ruleset >> /etc/nftables.conf
-That's allow only internal communications from the kernel to outside and SSH access, not much more.
Now I trying to redefine the rules for run docker-portainer and pinhole. I don't understand why there are lot of tutorials for installing pi hole and not much for nftables for pihole, because is very sensitive software about privacy.
typing: sudo nano /etc/nftables.conf
-I access to firewall rules, before installing docker portainer I was define a hardened rules, following the instructions of Sun Kudsen blog:
-Enable nftables
systemctl enable nftables
systemctl start nftables
-Configure firewall rules
nft flush ruleset
nft add table ip firewall
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
nft add rule ip firewall input iif lo accept
nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop
nft add rule ip firewall input tcp dport ssh accept
nft add rule ip firewall input ct state established,related accept
nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; }
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
nft add rule ip firewall output oif lo accept
nft add rule ip firewall output tcp dport { http, https } accept
nft add rule ip firewall output udp dport { domain, ntp } accept
nft add rule ip firewall output ct state established,related accept
make firewall rules persistent
cat << "EOF" > /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
EOF
nft list ruleset >> /etc/nftables.conf
-That's allow only internal communications from the kernel to outside and SSH access, not much more.
Now I trying to redefine the rules for run docker-portainer and pinhole. I don't understand why there are lot of tutorials for installing pi hole and not much for nftables for pihole, because is very sensitive software about privacy.
Statistics: Posted by birdawn — Tue Apr 16, 2024 10:13 pm