Firewalld on server with docker and swag : iptables or nftables

shortly, I did came back to this, what is good solution?

firewalld is using nftables as default and I think it is future.
docker is using iptables to manage networking.

there are 3 options:

  1. change firewalld backend to iptables
  2. run docker with iptables=false
  3. combine, but this to tricky and you have to understand and remeber what you are doing

I like option 2) but there is a problem:

I did create docker network and for example homeassistant and swag containers are in that network, subnet is 172.18.0/16. SWAG is configured to proxy homeassitant over subdomain.

server local ip is
IP from which I am accessing homeassistant is not from my local net (not my laptop ip but - SWAG container ip.

problem is that I am not able to use fail2ban, not able to allow and denny specific subnets in homeassistant swag proxy config.

option 1) is working but I dont like it becase in log I see some warining reported by firewalld about

for example:

WARNING: COMMAND_FAILED: '/usr/bin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).

is there some solution for option 1 ?

I would suggest researching firewalld and docker, it’s not something we will help with here. Our recommendation is to use Debian or deriv.

I think it is not related with debian.

yes, I did search and read a lot, this article is good one, and my problem is mentioned in comments but there without solution. so I did try ask here.

maybe there solution is to use option 3) but I dont like it

You are very unlikely to get help here, again, we (and most of our user base) test on and use debian deriv which does not use firewalld.


just searching what is default firewall program in debian and find this page

lets say that default firewall program is ufw, question is how it is configured? using nftables or iptables in background?

nftables is the default in debian. docker will handle the creation of the nat rules for any containers you create.

what happen to me was that I did block port with firewalld ( which was using nftables )
that port was open by docker and allow by iptables because docker use iptables.

it is quite confusing and take time to find out what is going on.

please, can you run following commands on debian?

nft list ruleset
iptables -L -v -n
iptables -t nat -L -v -n