Created
August 22, 2025 00:35
-
-
Save jiri001meitner/5e507ed9283bc6424d78349784337c0d to your computer and use it in GitHub Desktop.
nftables example for matomo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| table ip nat { | |
| chain DOCKER { | |
| iifname "docker0" counter return | |
| iifname "br-matomo" counter return | |
| ip daddr 127.0.0.2 iifname != "br-matomo" tcp dport 8080 counter dnat to 172.30.0.3:80 | |
| } | |
| chain PREROUTING { | |
| type nat hook prerouting priority dstnat; policy accept; | |
| fib daddr type local counter jump DOCKER | |
| } | |
| chain OUTPUT { | |
| type nat hook output priority dstnat; policy accept; | |
| ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER | |
| } | |
| chain POSTROUTING { | |
| type nat hook postrouting priority srcnat; policy accept; | |
| ip saddr 172.17.0.0/16 oifname != "docker0" counter masquerade | |
| ip saddr 172.30.0.0/16 oifname != "br-matomo" counter masquerade | |
| } | |
| } | |
| table ip filter { | |
| chain DOCKER { | |
| ip daddr 172.30.0.3 iifname != "br-matomo" oifname "br-matomo" tcp dport 80 counter accept | |
| iifname != "br-matomo" oifname "br-matomo" counter drop | |
| iifname != "docker0" oifname "docker0" counter drop | |
| } | |
| chain DOCKER-FORWARD { | |
| counter jump DOCKER-CT | |
| counter jump DOCKER-ISOLATION-STAGE-1 | |
| counter jump DOCKER-BRIDGE | |
| iifname "br-matomo" counter accept | |
| iifname "docker0" counter accept | |
| } | |
| chain DOCKER-BRIDGE { | |
| oifname "br-matomo" counter jump DOCKER | |
| oifname "docker0" counter jump DOCKER | |
| } | |
| chain DOCKER-CT { | |
| oifname "br-matomo" ct state related,established counter accept | |
| oifname "docker0" ct state related,established counter accept | |
| } | |
| chain DOCKER-ISOLATION-STAGE-1 { | |
| iifname "br-matomo" oifname != "br-matomo" counter jump DOCKER-ISOLATION-STAGE-2 | |
| iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2 | |
| } | |
| chain DOCKER-ISOLATION-STAGE-2 { | |
| oifname "docker0" counter drop | |
| oifname "br-matomo" counter drop | |
| } | |
| chain FORWARD { | |
| type filter hook forward priority filter; policy accept; | |
| counter jump DOCKER-USER | |
| counter jump DOCKER-FORWARD | |
| } | |
| chain DOCKER-USER { | |
| } | |
| } | |
| table ip raw { | |
| chain PREROUTING { | |
| type filter hook prerouting priority raw; policy accept; | |
| ip daddr 172.30.0.2 iifname != "br-matomo" counter drop | |
| ip daddr 172.30.0.3 iifname != "br-matomo" counter drop | |
| ip daddr 127.0.0.2 iifname != "lo" tcp dport 8080 counter drop | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment