Maintaining iptables rule

Follow

seanchiggins

• March 01, 2023 16:31

Hello,

I set up pi-hole in Docker on my Firewall Gold+ following the guide from Firewalla. The issue that I had was that all the traffic from my internal network was showing up as one IP address due to iptables nat in the FR_SNAT able:

Chain FR_SNAT (1 references)
target     prot opt source               destination
MASQUERADE  all  --  192.168.195.0/24     anywhere
MASQUERADE  all  --  10.189.66.0/24       anywhere

192.168.195.0/24 is my internal network. So, I added a rule to not nat traffic from my internal network to the Docker network with:

sudo iptables -t nat -I FR_SNAT 1 -j ACCEPT -s 192.168.195.0/24 -d 172.16.0.0/24

Now my FR_SNAT looks like:

Chain FR_SNAT (1 references)
target     prot opt source               destination
ACCEPT     all  --  192.168.195.0/24     172.16.0.0/24
MASQUERADE  all  --  192.168.195.0/24     anywhere
MASQUERADE  all  --  10.189.66.0/24       anywhere

And all my traffic from my internal network to the Docker network shows up with the internal network address of the device.

My question is, how do I make this permanent? I have not seen anything in the community where this has been successful.

Thoughts?

Sean

0

• 

  James Willhoite

  • March 08, 2023 01:36

  You have to script it that is called from the main.d folder. See the FW article HERE. Just check that the rule doesn't exist otherwise you'll have multiple entries in the table. (**had 30 in mine once ... oops)

  0

  Comment actions Permalink
• 

  Chris Hewitt

  • March 17, 2023 17:43

  Can you please share your YAML file?  I have the same problem but I don't have those firewall rules.

  

  ... then again, what I am doing wrong?

   

   

   

  0

  Comment actions Permalink

Please sign in to leave a comment.