I run a Debian 10 system with no iptables, and some multi-container services via docker-compose. Dumping some notes here as it can be a real pain.


Install the userspace tools (the kernel modules are already baked in).

apt-get install nftables

To blacklist the iptables module, create /etc/modprobe.d/noiptables.conf with the following:

install ip_tables /bin/false
install ip6_tables /bin/false

Start and enable the service:

systemctl enable nftables.service
systemctl start nftables.service

Docker config

In /etc/docker/daemon.json:

  "iptables": false

Previously the flag –iptables=false was used as a systemd override, but this is no longer the case.

In /etc/systemd/system/docker.service.d/override.conf:

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --fixed-cidr=

This sets a static range for the docker network. If you haven’t used systemd overrides before, the blank ExecStart= is needed to clear the value before applying a new one.

Then we restart docker:

systemctl daemon-reload
systemctl restart docker

fuck you docker…. (docker-ce will always install iptables userspace tools as a dependency)

# apt-get remove iptables
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  aufs-dkms aufs-tools cgroupfs-mount dkms libltdl7 linux-headers-amd64
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  docker-ce iptables
0 upgraded, 0 newly installed, 2 to remove and 5 not upgraded.
After this operation, 112 MB disk space will be freed.
Do you want to continue? [Y/n] n

and so

ln -s /sbin/iptables-nft /local/sbin/iptables

nftables rules

A fairly simple config that works for me so far.


#!/usr/sbin/nft -f

#whitelist IPs
define home = xxx.xxx.xxx.xxx
define work = xxx.xxx.xxx.xxx
#internal IPs
define docker_ipv4 =

flush ruleset

table inet filter {
  set whitelist_ips {
    type ipv4_addr
    flags constant, interval
    elements = { $home, $work }
  chain base_checks {
    ct state {established, related} accept
    ct state invalid drop
  chain input {
    type filter hook input priority 0; policy drop;
    jump base_checks
    iifname lo accept
    ip saddr $docker_ipv4 accept
    ip saddr != @whitelist_ips drop
    ip protocol icmp accept
    tcp dport ssh accept
    tcp dport https accept
  chain forward {
    type filter hook forward priority 0; policy drop;
    ct state {established,related} accept
    ip saddr $docker_ipv4 oif eth0 accept
    ip saddr $docker_ipv4 oifname "br-*" accept
  chain output {
    type filter hook output priority 0; policy accept;
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
  chain postrouting {
    type nat hook postrouting priority 100;
    ip saddr $docker_ipv4 oif eth0 masquerade

This allows forwarding between docker interfaces and to eth0, NAT to the container network, and a filtered input.

Load up the new rules with systemctl reload nftables


nftables service logs can be viewed from journalctl --unit=nftables.service

Logging of rules can be set up such as:

ip saddr <someaddress> log prefix "Some Prefix: " accept

Reference Material

nftables wiki