# eth to wifi bridge and iptables

## paulusbrand

Hi all,

My server is connected to my router by ethernet. It also containes a wifi card which is bridged to the ethernet card to act as wifi access point. All is working fine so far.

But to be able to use docker containers i need iptables running. If i start iptables on the server it becomes impossible to reach the internet through my wifi. If i connect to one of the ethernet ports from the switch all works fine.

I probably need to add a rule to the iptables, can anyone help me with that?

image of the layout below:

https://ikhebeenboot.nl/layout.png

/etc/conf.d/net

```

config_eth0="null"

config_wlan0="null"

modules_wlan0="!wpa_supplicant !iwconfig" 

rc_net_br0_need="net.eth0 net.wlan0 hostapd"

brctl_br0="setfd 0 sethello 10 waitport 10 stp off"

bridge_br0="eth0 wlan0"

modules_br0="ifconfig" 

config_br0="192.168.178.1/24 brd 192.168.178.255"

routes_br0="default via 192.168.178.254"

dns_servers_br0="208.67.222.222 208.67.220.220"

```

/etc/hostapd/hostapd.conf

```

interface=wlan0

bridge=br0

driver=nl80211

country_code=NL

ssid=***********

hw_mode=g

channel=4

wpa=2

wpa_passphrase=**********

wpa_key_mgmt=WPA-PSK

wpa_pairwise=TKIP

rsn_pairwise=CCMP

auth_algs=1

macaddr_acl=0

```

iptables -L

```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

f2b-SSH    tcp  --  anywhere             anywhere             tcp dpt:**

Chain FORWARD (policy DROP)

target     prot opt source               destination         

DOCKER-ISOLATION  all  --  anywhere             anywhere            

DOCKER     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain DOCKER (1 references)

target     prot opt source               destination         

Chain DOCKER-ISOLATION (1 references)

target     prot opt source               destination         

RETURN     all  --  anywhere             anywhere            

Chain f2b-SSH (1 references)

target     prot opt source               destination         

RETURN     all  --  anywhere             anywhere    

```

----------

## bbgermany

Hi,

you should be able to connect to the internet again, as soon as you allow forwarding traffic from the wireless to the ethernet interface, since the forward policy is set to drop.

either you set the default forward policy to accept, or you create a new rule, which allows forwarding traffic for the needed devices.

greets, bb

----------

## Hu

I think your iptables -L output is wrong or misleading (which is why I always tell people to post the machine-readable iptables-save output instead).  You have two FORWARD rules that appear to allow everything, yet they are insufficient.  Most likely, there are unshown qualifiers that cause them not to match.  iptables-save would show these qualifiers.

----------

## bbgermany

Hi,

damn Hu, youre right, i've overseen this. "iptables -L -nv" should do the trick, to show up the more detailed information you or we may need.

greets, bb

----------

## paulusbrand

```

Chain INPUT (policy ACCEPT 10M packets, 22G bytes)

 pkts bytes target     prot opt in     out     source               destination    

 5639  376K f2b-SSH    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:**

Chain FORWARD (policy DROP 5588 packets, 672K bytes)

 pkts bytes target     prot opt in     out     source               destination    

 147K  161M DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0

86412  157M DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0     

86412  157M ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

54762 3261K ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0   

    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0    

Chain OUTPUT (policy ACCEPT 6051K packets, 10G bytes)

 pkts bytes target     prot opt in     out     source               destination    

Chain DOCKER (1 references)

 pkts bytes target     prot opt in     out     source               destination    

Chain DOCKER-ISOLATION (1 references)

 pkts bytes target     prot opt in     out     source               destination    

 147K  161M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0      

Chain f2b-SSH (1 references)

 pkts bytes target     prot opt in     out     source               destination    

 5639  376K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0      

```

----------

## bbgermany

Hi,

as expected... As i already said, add rules for allowing traffic from your wireless to your lan, since you block all traffic forwarded except for the docker interface (docker0).

greets, bb

----------

## paulusbrand

Hi,

Thanks! 

I added the following rules:

```

iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT

iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

```

iptables-save output:

```
# Generated by iptables-save v1.4.21 on Sun Oct 29 12:48:10 2017

*nat

:PREROUTING ACCEPT [12104:1040817]

:INPUT ACCEPT [6546:620952]

:OUTPUT ACCEPT [3097:217705]

:POSTROUTING ACCEPT [3097:217705]

:DOCKER - [0:0]

-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

-A DOCKER -i docker0 -j RETURN

COMMIT

# Completed on Sun Oct 29 12:48:10 2017

# Generated by iptables-save v1.4.21 on Sun Oct 29 12:48:10 2017

*mangle

:PREROUTING ACCEPT [7951368650:8498340769118]

:INPUT ACCEPT [7951124625:8498172423181]

:FORWARD ACCEPT [154131:162298474]

:OUTPUT ACCEPT [6719819482:9601179874504]

:POSTROUTING ACCEPT [6720031362:9601367656517]

COMMIT

# Completed on Sun Oct 29 12:48:10 2017

# Generated by iptables-save v1.4.21 on Sun Oct 29 12:48:10 2017

*filter

:INPUT ACCEPT [104973:33409587]

:FORWARD DROP [722:64593]

:OUTPUT ACCEPT [106335:152951741]

:DOCKER - [0:0]

:DOCKER-ISOLATION - [0:0]

:f2b-SSH - [0:0]

-A INPUT -p tcp -m tcp --dport ** -j f2b-SSH

-A FORWARD -j DOCKER-ISOLATION

-A FORWARD -o docker0 -j DOCKER

-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

-A FORWARD -i docker0 -o docker0 -j ACCEPT

-A FORWARD -i eth0 -o wlan0 -j ACCEPT

-A FORWARD -i wlan0 -o eth0 -j ACCEPT

-A DOCKER-ISOLATION -j RETURN

-A f2b-SSH -j RETURN

COMMIT

# Completed on Sun Oct 29 12:48:10 2017

```

But still no way of connecting to the internet when connected via Wifi. I am a real iptables noob, are those rules correct?

----------

## NeddySeagoon

paulusbrand,

What is in /proc//sys/net/ipv4/ip_forward ?

It needs to be 1, so that the kernel will forward packets.

As your two interfaces are donated to br0, I don't think that you can write iptables rules for them.

A bridge is the software equivalent of a hub.  All packets appear on all ports.

----------

## paulusbrand

forwarding is enabled.  /proc/sys/net/ipv4/ip_forward is 1.

Maybe i shoudn't use a bridge but add a masquerade rule to forward packages between eth0 and wlan0?

----------

## NeddySeagoon

paulusbrand,

Masquerading has its own complications.  Lets see if we can narrow it down a little.

From the server, do 

```
ping 8.8.8.8
```

Thats a google public nameserver.  No name resolution is requiied.

If that works, 

```
ping google.com
```

if that works, name resolution from the sever woks too.

If both work, move to a wifi connected system.

From threre,  

```
ping 192.168.178.1
```

 needs to work.  That's br0 in the server.

Without that there is no WiFi connecivity anywhere. 

If that works try 

```
ping 8.8.8.8
```

 and 

```
ping google.com
```

Report the first failure.

Change your DROP policies to REJECT meanwhile.  DROP throws away packets silently.

REJECT will produce a message.

----------

## paulusbrand

Both work on the server with iptables enabled.

On wifi client 192.168.178.1 works 8.8.8.8 does not.

----------

## Hu

With the right kernel configuration options set (BRIDGE_NETFILTER is required, but may not be sufficient for all purposes), iptables can filter bridges.  This can lead to great havoc if you aren't expecting it, particularly since the rules to use when you filter bridged traffic are not the same rules you use to filter that same traffic in non-bridged mode.  If I recall correctly, when filtering a bridge, the interface names are set to the bridge name and you need to use the iptables extension match physdev to get the names of the underlying interfaces that the bridge is using for this packet.  See man iptables-extensions module physdev.  Thus, the rules you added in the post where you provided iptables-save output are likely not matching at all, and so do you no good.  You need to rewrite them to use physdev matches.  This might work (untested):

```
iptables -A FORWARD -i br0 --physdev-in eth0 --physdev-out wlan0 -j ACCEPT

iptables -A FORWARD -i br0 --physdev-in wlan0 --physdev-out eth0 -j ACCEPT
```

It's also possible that you are not filtering the bridge at all, but instead have some other problem, in which case nothing in this post applies to you.  However, the curious timing that everything broke when you added iptables to an otherwise working bridge makes me suspect this does apply to you.

----------

## NeddySeagoon

paulusbrand,

Did the REJECT policy produce an error message?

----------

## paulusbrand

Not yet, ill try tomorrow. Thx so far!

----------

## paulusbrand

I can't seem to change the default policy on the forward chain?

```

server paul # iptables --policy FORWARD REJECT

iptables: Bad policy name. Run `dmesg' for more information.

```

```

server paul # iptables --policy FORWARD ACCEPT

```

I can set it to ACCEPT, then everything works.

----------

## bbgermany

Hi,

instead of:

```

iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT 

iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT 

```

try the following: 

```

iptables -I FORWARD 1 -i eth0 -o wlan0 -j ACCEPT 

iptables -I FORWARD 2-i wlan0 -o eth0 -j ACCEPT 

```

greets, bb

----------

## paulusbrand

Too bad, not working

```

Chain INPUT (policy ACCEPT 27527 packets, 16M bytes)

 pkts bytes target     prot opt in     out     source               destination         

58208 3597K f2b-SSH    tcp  --  any    any     anywhere             anywhere             tcp dpt:32

Chain FORWARD (policy DROP 211 packets, 24417 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  eth0   wlan0   anywhere             anywhere            

    0     0 ACCEPT     all  --  wlan0  eth0    anywhere             anywhere            

1231K 1225M DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere            

15419   29M DOCKER     all  --  any    docker0  anywhere             anywhere            

15419   29M ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED

10376  585K ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 25647 packets, 20M bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION (1 references)

 pkts bytes target     prot opt in     out     source               destination         

1231K 1225M RETURN     all  --  any    any     anywhere             anywhere            

Chain f2b-SSH (1 references)

 pkts bytes target     prot opt in     out     source               destination         

58208 3597K RETURN     all  --  any    any     anywhere             anywhere    

```

----------

## bbgermany

Hi,

as i can see from the output, there were no packets analysed by the forwarding rules. Can you please post an output of "ifconfig -a" and "brctl show" please?

greets, bb

----------

## paulusbrand

```

br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500

        inet 192.168.178.1  netmask 255.255.255.0  broadcast 192.168.178.255

        inet6 fe80::4e72:b9ff:fe43:c6ba  prefixlen 64  scopeid 0x20<link>

        ether 4c:72:b9:43:c6:ba  txqueuelen 1000  (Ethernet)

        RX packets 18815207  bytes 13178462066 (12.2 GiB)

        RX errors 0  dropped 4  overruns 0  frame 0

        TX packets 17727955  bytes 17824347999 (16.6 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0

        inet6 fe80::42:e9ff:fecf:4ded  prefixlen 64  scopeid 0x20<link>

        ether 02:42:e9:cf:4d:ed  txqueuelen 0  (Ethernet)

        RX packets 46994  bytes 2571920 (2.4 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 77392  bytes 149452468 (142.5 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

dummy0: flags=130<BROADCAST,NOARP>  mtu 1500

        ether 52:25:e1:d3:6e:ee  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::4e72:b9ff:fe43:c6ba  prefixlen 64  scopeid 0x20<link>

        ether 4c:72:b9:43:c6:ba  txqueuelen 1000  (Ethernet)

        RX packets 19046458  bytes 13283868190 (12.3 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 22166432  bytes 18195512575 (16.9 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory 0xfe700000-fe720000  

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::4e72:b9ff:fe43:c6bb  prefixlen 64  scopeid 0x20<link>

        ether 4c:72:b9:43:c6:bb  txqueuelen 1000  (Ethernet)

        RX packets 1738202  bytes 997991289 (951.7 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 28833  bytes 2473432 (2.3 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 17  memory 0xfe500000-fe520000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 70196  bytes 131437292 (125.3 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 70196  bytes 131437292 (125.3 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

macvtap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::5054:ff:feef:5348  prefixlen 64  scopeid 0x20<link>

        ether 52:54:00:ef:53:48  txqueuelen 500  (Ethernet)

        RX packets 67197  bytes 105104543 (100.2 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 16812  bytes 1255962 (1.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480

        sit  txqueuelen 1000  (IPv6-in-IPv4)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tunl0: flags=128<NOARP>  mtu 1480

        tunnel   txqueuelen 1000  (IPIP Tunnel)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethdcb73b3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::b09b:a9ff:fe94:ea0  prefixlen 64  scopeid 0x20<link>

        ether b2:9b:a9:94:0e:a0  txqueuelen 0  (Ethernet)

        RX packets 36592  bytes 2497515 (2.3 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 61966  bytes 120018749 (114.4 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::a2f3:c1ff:fe27:3bcb  prefixlen 64  scopeid 0x20<link>

        ether a0:f3:c1:27:3b:cb  txqueuelen 1000  (Ethernet)

        RX packets 633593  bytes 300227881 (286.3 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 933307  bytes 1212974010 (1.1 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

```

bridge name   bridge id      STP enabled   interfaces

br0      8000.4c72b943c6ba   no      eth0

                     wlan0

docker0      8000.0242e9cf4ded   no      vethdcb73b3

```

----------

## bbgermany

Hi,

ok, it looks as expected. I would suggest to change the firewall rule for testing to the following:

```

iptables -I FORWARD 1 -i br0 -J ACCEPT

iptables -I FORWARD 2 -o br0 -j ACCEPT

```

Just try this out and please report back.

greets, bb

----------

## NeddySeagoon

As br0 appears to be forwarding nothing,  hosts on wifi won't have any DHCP set up either ...

but they can ping the bridge, so they have a useful IP address somehow (not link local 169. ...) 

bridges are transparent. There is no concept of forwarding across a bridge.

How do the wifi clients get their IP address and routing information?

Please post route -n and ifconfig from a wifi connected system and tell if the setup is static or dhcp.

----------

## bbgermany

Yeah, bridges are transparent, but the firewall doesnt really know this. I have played a bit with iptables Logging rules, to check whether i can get some logs while creating traffic over a bridge. I modified the rules according to this a bit  :Wink: 

```

iptables -A FORWARD -i br0 -m physdev --physdev-in wlan0 -j LOG --log-prefix "WLAN forwarded: "

```

I got an log like this, when pinging the target system:

```

Nov  1 14:16:58 raspi kernel: [547374.255538] Forward: IN=br0 OUT=br0 PHYSIN=wlan0 PHYSOUT=eth0 MAC=60:a4:4c:3d:66:79:00:ff:08:16:85:05:08:00:45:00:00:3c:34:31:00:00:80:01:6c:47 SRC=192.168.0.250 DST=192.168.23.254 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=13361 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1104

```

Maybe you can modify this for your needs for allowing traffic though the bridge.

----------

## paulusbrand

Gents,

I know it's weird but after a kernel upgrade and a reboot i can acces the internet for all wifi connected devices even without any iptables specific forwarding rules. Below the curently working configuration.

Thank for the effort!

If i can post anything to clearify let me know.

```

Chain INPUT (policy ACCEPT 100K packets, 68M bytes)

 pkts bytes target     prot opt in     out     source               destination         

89927 5774K f2b-SSH    tcp  --  any    any     anywhere             anywhere             tcp dpt:**

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

 5845 2473K DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere            

77303  148M DOCKER     all  --  any    docker0  anywhere             anywhere            

77303  148M ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED

46946 2569K ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            

    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 95915 packets, 78M bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION (1 references)

 pkts bytes target     prot opt in     out     source               destination         

 5845 2473K ACCEPT     all  --  any    any     anywhere             anywhere            

    0     0            all  --  any    any     anywhere             anywhere            

    0     0            all  --  any    any     anywhere             anywhere            

4480K 3413M RETURN     all  --  any    any     anywhere             anywhere            

Chain f2b-SSH (1 references)

 pkts bytes target     prot opt in     out     source               destination         

89927 5774K RETURN     all  --  any    any     anywhere             anywhere

```

----------

## Hu

For both the old and new kernel, please post the output of grep -Hn BRIDGE_NETFILTER /path/to/kernel/.config.

----------

## paulusbrand

Unfortunately i cannot accces my old .config any more. But when updating a kernel i do something like:

```

eselect new kernel

cd /usr/src/linux

zcat /proc/config.gz > .config

make menuconfig

make && make modules_install

```

I can't remember adding or removing any options the last time. I don't think anything was changed.

Current kernel:

```

paul@server ~ $ grep -Hn BRIDGE_NETFILTER /usr/src/linux/.config

/usr/src/linux/.config:861:CONFIG_BRIDGE_NETFILTER=y

```

----------

## Hu

Your DOCKER-ISOLATION chain appears not to isolate much anymore.  According to your most recent output, it is now extremely permissive (unless, as before, the use of iptables instead of iptables-save is hiding important qualifiers).

----------

## paulusbrand

I don't know, here the output of iptables-save:

```

# Generated by iptables-save v1.4.21 on Sun Nov  5 22:10:59 2017

*nat

:PREROUTING ACCEPT [1694185:197740209]

:INPUT ACCEPT [1594000:183898950]

:OUTPUT ACCEPT [578303:41704595]

:POSTROUTING ACCEPT [678029:55516221]

:DOCKER - [0:0]

-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

-A DOCKER -i docker0 -j RETURN

COMMIT

# Completed on Sun Nov  5 22:10:59 2017

# Generated by iptables-save v1.4.21 on Sun Nov  5 22:10:59 2017

*mangle

:PREROUTING ACCEPT [8493742134:8923655099670]

:INPUT ACCEPT [8477808691:8912262260768]

:FORWARD ACCEPT [16004336:11442317906]

:OUTPUT ACCEPT [7211751259:10274954884128]

:POSTROUTING ACCEPT [7227814205:10286424050410]

COMMIT

# Completed on Sun Nov  5 22:10:59 2017

# Generated by iptables-save v1.4.21 on Sun Nov  5 22:10:59 2017

*filter

:INPUT ACCEPT [346371006:297356148792]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [319588332:471215114641]

:DOCKER - [0:0]

:DOCKER-ISOLATION - [0:0]

:f2b-SSH - [0:0]

-A INPUT -p tcp -m tcp --dport 32 -j f2b-SSH

-A FORWARD -j DOCKER-ISOLATION

-A FORWARD -o docker0 -j DOCKER

-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

-A FORWARD -i docker0 -o docker0 -j ACCEPT

-A DOCKER-ISOLATION -j ACCEPT

-A DOCKER-ISOLATION -i any -o any

-A DOCKER-ISOLATION

-A DOCKER-ISOLATION -j RETURN

-A f2b-SSH -j RETURN

COMMIT

# Completed on Sun Nov  5 22:10:59 2017

```

----------

## Hu

That's much more readable.  Thank you.

As hinted at by the terse output, and explicitly confirmed here, your DOCKER-ISOLATION chain now ACCEPTs all traffic.  Since FORWARD passes all traffic to it, your FORWARD policy of DROP is irrelevant.  Every forwarding decision is ACCEPTed by DOCKER-ISOLATION before more specific rules can act on it.  This is why your networking works again.  You can simplify this by removing all rules from the FORWARD chain and changing its policy to ACCEPT.  You will get the same effect with less work.

----------

