shortly, I did came back to this, what is good solution?
firewalld is using nftables as default and I think it is future.
docker is using iptables to manage networking.
there are 3 options:
change firewalld backend to iptables
run docker with iptables=false
combine, but this to tricky and you have to understand and remeber what you are doing
I like option 2) but there is a problem:
I did create docker network and for example homeassistant and swag containers are in that network, subnet is 172.18.0/16. SWAG is configured to proxy homeassitant over subdomain.
server local ip is 192.168.13.13/24
IP from which I am accessing homeassistant is not from my local net (not my laptop ip 192.168.13.100) but 172.18.0.2 - SWAG container ip.
problem is that I am not able to use fail2ban, not able to allow and denny specific subnets in homeassistant swag proxy config.
option 1) is working but I dont like it becase in log I see some warining reported by firewalld about
for example:
WARNING: COMMAND_FAILED: '/usr/bin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
what happen to me was that I did block port with firewalld ( which was using nftables )
that port was open by docker and allow by iptables because docker use iptables.
it is quite confusing and take time to find out what is going on.
please, can you run following commands on debian?
nft list ruleset
and iptables -L -v -n iptables -t nat -L -v -n