WiFi Hotspot/AP - Devices can connect, but no internet connection

If I create a WiFi hotspot, my phone or lapropt can connect to it without a problem, but no internet access will be available. I am using GNOME and enabling the hotspot within the WIFI settings.

I have Docker installed. I’ve read in some other posts that this might be a factor in this issue, however, I have not been able to discern if that is actually the case.

AP works when booting from a live USB. I’m just very confused about why this is happening and trying to work out what the cause is and how to resolve it. I’d be thankful if anyone has any ideas about this issue…
If it helps, here are also the iptables and netstat outputs. I’m happy to provide any other relavant outputs, of course!

iptables -n -v -L -x

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 426 packets, 25560 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
     337    20220 DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     337    20220 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
     337    20220 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
       0        0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
     477    36097 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0     

And here is the output of netstat -i

Iface             MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
docker0          1500        0      0      0 0             0      0      0      0 BMU
eno1             1500        0      0      0 0             0      0      0      0 BMU
enp14s0f4u2u1u3  1500   221191      0      0 0         92657      0      0      0 BMRU
lo              65536     4447      0      0 0          4447      0      0      0 LRU
wlp11s0          1500      559      0      0 0           271      0      0      0 BMU

I think it might be connected to Docker and the associated iptables rules after all.
If I connect to the hotspot from my mobiel device and I try to access some site, the number of dropped packets in the FORWARD chain will increase

Chain FORWARD (policy DROP 104 packets, 12362 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
     104    12362 DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     104    12362 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Disabling docker service and socket (and reloading the network manager and/or triggering daemon-reload) don’t mitigate this issue. And I would want docker to be available anyway.

However, I am not familiar at all with iptables. Is there a way to mitigate this issue?

I’ve tried running the iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT command that can be found on Docker’s subpage for package filtering and firewalls, under the “Docker on a router” heading. But this does not seem to have an effect.

Running the iptables -I DOCKER-USER -j ACCEPT command seems to work (reference).

Does this kind of change have any major security implications? If I udnerstand correctly, the effects of this commandare not persistent. How can I make this change permanent? I didn’t see any iptables file in the /etc/sysconfig. I saw a nftables.config file, but I’m not sure if that is the same. Or Is this something that should be done via firewalld instead (I’m not familiar with it either)?

I’m not familiar with Docker (I use Podman or systemd-nspawn for all my container needs). But both firewalld and iptables use nftables “underneath” since Fedora Linux 32 (Changes/iptables-nft-default - Fedora Project Wiki). The first command I would try to see what is really happening with the packet forwarding etc is nft list ruleset.

The result of the command is appended below. I don’t really understand all of the rulesets that are going on here. If I setup the DOCKER-USER (ipv4 and ipv6) in firewalld and set the rules for -j ACCEPT , then the hotspot works as intended. However, I’m not sure if that the solution is “too broad” or not.

table inet firewalld {
	ct helper helper-netbios-ns-udp {
		type "netbios-ns" protocol udp
		l3proto ip
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority mangle + 10; policy accept;
		jump mangle_PREROUTING_POLICIES
	}

	chain mangle_PREROUTING_POLICIES {
		iifname "enp14s0f4u2u1u3" jump mangle_PRE_policy_allow-host-ipv6
		iifname "enp14s0f4u2u1u3" jump mangle_PRE_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" return
		iifname "docker0" jump mangle_PRE_policy_allow-host-ipv6
		iifname "docker0" jump mangle_PRE_docker
		iifname "docker0" return
		jump mangle_PRE_policy_allow-host-ipv6
		jump mangle_PRE_FedoraWorkstation
		return
	}

	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_POLICIES
	}

	chain nat_PREROUTING_POLICIES {
		iifname "enp14s0f4u2u1u3" jump nat_PRE_policy_allow-host-ipv6
		iifname "enp14s0f4u2u1u3" jump nat_PRE_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" return
		iifname "docker0" jump nat_PRE_policy_allow-host-ipv6
		iifname "docker0" jump nat_PRE_docker
		iifname "docker0" return
		jump nat_PRE_policy_allow-host-ipv6
		jump nat_PRE_FedoraWorkstation
		return
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_POLICIES
	}

	chain nat_POSTROUTING_POLICIES {
		iifname "enp14s0f4u2u1u3" oifname "enp14s0f4u2u1u3" jump nat_POST_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" oifname "enp14s0f4u2u1u3" return
		iifname "docker0" oifname "enp14s0f4u2u1u3" jump nat_POST_FedoraWorkstation
		iifname "docker0" oifname "enp14s0f4u2u1u3" return
		oifname "enp14s0f4u2u1u3" jump nat_POST_FedoraWorkstation
		oifname "enp14s0f4u2u1u3" return
		iifname "enp14s0f4u2u1u3" oifname "docker0" jump nat_POST_docker
		iifname "enp14s0f4u2u1u3" oifname "docker0" return
		iifname "docker0" oifname "docker0" jump nat_POST_docker
		iifname "docker0" oifname "docker0" return
		oifname "docker0" jump nat_POST_docker
		oifname "docker0" return
		iifname "enp14s0f4u2u1u3" jump nat_POST_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" return
		iifname "docker0" jump nat_POST_FedoraWorkstation
		iifname "docker0" return
		jump nat_POST_FedoraWorkstation
		return
	}

	chain nat_OUTPUT {
		type nat hook output priority -90; policy accept;
		jump nat_OUTPUT_POLICIES
	}

	chain nat_OUTPUT_POLICIES {
		oifname "enp14s0f4u2u1u3" jump nat_OUT_FedoraWorkstation
		oifname "enp14s0f4u2u1u3" return
		oifname "docker0" jump nat_OUT_docker
		oifname "docker0" return
		jump nat_OUT_FedoraWorkstation
		return
	}

	chain filter_PREROUTING {
		type filter hook prerouting priority filter + 10; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . mark . iif oif missing drop
	}

	chain filter_INPUT {
		type filter hook input priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		jump filter_INPUT_POLICIES
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_FORWARD_POLICIES
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority filter + 10; policy accept;
		ct state { established, related } accept
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_OUTPUT_POLICIES
	}

	chain filter_INPUT_POLICIES {
		iifname "enp14s0f4u2u1u3" jump filter_IN_policy_allow-host-ipv6
		iifname "enp14s0f4u2u1u3" jump filter_IN_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" reject with icmpx admin-prohibited
		iifname "docker0" jump filter_IN_policy_allow-host-ipv6
		iifname "docker0" jump filter_IN_docker
		iifname "docker0" accept
		jump filter_IN_policy_allow-host-ipv6
		jump filter_IN_FedoraWorkstation
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD_POLICIES {
		iifname "enp14s0f4u2u1u3" oifname "enp14s0f4u2u1u3" jump filter_FWD_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" oifname "enp14s0f4u2u1u3" reject with icmpx admin-prohibited
		iifname "enp14s0f4u2u1u3" oifname "docker0" jump filter_FWD_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" oifname "docker0" reject with icmpx admin-prohibited
		iifname "enp14s0f4u2u1u3" jump filter_FWD_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" reject with icmpx admin-prohibited
		iifname "docker0" oifname "enp14s0f4u2u1u3" jump filter_FWD_docker
		iifname "docker0" oifname "enp14s0f4u2u1u3" accept
		iifname "docker0" oifname "docker0" jump filter_FWD_docker
		iifname "docker0" oifname "docker0" accept
		iifname "docker0" jump filter_FWD_docker
		iifname "docker0" accept
		oifname "enp14s0f4u2u1u3" jump filter_FWD_FedoraWorkstation
		oifname "enp14s0f4u2u1u3" reject with icmpx admin-prohibited
		oifname "docker0" jump filter_FWD_FedoraWorkstation
		oifname "docker0" reject with icmpx admin-prohibited
		jump filter_FWD_FedoraWorkstation
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT_POLICIES {
		oifname "enp14s0f4u2u1u3" jump filter_OUT_FedoraWorkstation
		oifname "enp14s0f4u2u1u3" return
		oifname "docker0" jump filter_OUT_docker
		oifname "docker0" return
		jump filter_OUT_FedoraWorkstation
		return
	}

	chain filter_IN_FedoraWorkstation {
		jump filter_IN_FedoraWorkstation_pre
		jump filter_IN_FedoraWorkstation_log
		jump filter_IN_FedoraWorkstation_deny
		jump filter_IN_FedoraWorkstation_allow
		jump filter_IN_FedoraWorkstation_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_FedoraWorkstation_pre {
	}

	chain filter_IN_FedoraWorkstation_log {
	}

	chain filter_IN_FedoraWorkstation_deny {
	}

	chain filter_IN_FedoraWorkstation_allow {
		ip6 daddr fe80::/64 udp dport 546 accept
		tcp dport 22 accept
		udp dport 137 ct helper set "helper-netbios-ns-udp"
		udp dport 137 accept
		udp dport 138 accept
		ip daddr 224.0.0.251 udp dport 5353 accept
		ip6 daddr ff02::fb udp dport 5353 accept
		udp dport 1025-65535 accept
		tcp dport 1025-65535 accept
	}

	chain filter_IN_FedoraWorkstation_post {
	}

	chain filter_OUT_FedoraWorkstation {
		jump filter_OUT_FedoraWorkstation_pre
		jump filter_OUT_FedoraWorkstation_log
		jump filter_OUT_FedoraWorkstation_deny
		jump filter_OUT_FedoraWorkstation_allow
		jump filter_OUT_FedoraWorkstation_post
	}

	chain filter_OUT_FedoraWorkstation_pre {
	}

	chain filter_OUT_FedoraWorkstation_log {
	}

	chain filter_OUT_FedoraWorkstation_deny {
	}

	chain filter_OUT_FedoraWorkstation_allow {
	}

	chain filter_OUT_FedoraWorkstation_post {
	}

	chain nat_OUT_FedoraWorkstation {
		jump nat_OUT_FedoraWorkstation_pre
		jump nat_OUT_FedoraWorkstation_log
		jump nat_OUT_FedoraWorkstation_deny
		jump nat_OUT_FedoraWorkstation_allow
		jump nat_OUT_FedoraWorkstation_post
	}

	chain nat_OUT_FedoraWorkstation_pre {
	}

	chain nat_OUT_FedoraWorkstation_log {
	}

	chain nat_OUT_FedoraWorkstation_deny {
	}

	chain nat_OUT_FedoraWorkstation_allow {
	}

	chain nat_OUT_FedoraWorkstation_post {
	}

	chain nat_POST_FedoraWorkstation {
		jump nat_POST_FedoraWorkstation_pre
		jump nat_POST_FedoraWorkstation_log
		jump nat_POST_FedoraWorkstation_deny
		jump nat_POST_FedoraWorkstation_allow
		jump nat_POST_FedoraWorkstation_post
	}

	chain nat_POST_FedoraWorkstation_pre {
	}

	chain nat_POST_FedoraWorkstation_log {
	}

	chain nat_POST_FedoraWorkstation_deny {
	}

	chain nat_POST_FedoraWorkstation_allow {
	}

	chain nat_POST_FedoraWorkstation_post {
	}

	chain filter_FWD_FedoraWorkstation {
		jump filter_FWD_FedoraWorkstation_pre
		jump filter_FWD_FedoraWorkstation_log
		jump filter_FWD_FedoraWorkstation_deny
		jump filter_FWD_FedoraWorkstation_allow
		jump filter_FWD_FedoraWorkstation_post
	}

	chain filter_FWD_FedoraWorkstation_pre {
	}

	chain filter_FWD_FedoraWorkstation_log {
	}

	chain filter_FWD_FedoraWorkstation_deny {
	}

	chain filter_FWD_FedoraWorkstation_allow {
		oifname "enp14s0f4u2u1u3" accept
	}

	chain filter_FWD_FedoraWorkstation_post {
	}

	chain nat_PRE_FedoraWorkstation {
		jump nat_PRE_FedoraWorkstation_pre
		jump nat_PRE_FedoraWorkstation_log
		jump nat_PRE_FedoraWorkstation_deny
		jump nat_PRE_FedoraWorkstation_allow
		jump nat_PRE_FedoraWorkstation_post
	}

	chain nat_PRE_FedoraWorkstation_pre {
	}

	chain nat_PRE_FedoraWorkstation_log {
	}

	chain nat_PRE_FedoraWorkstation_deny {
	}

	chain nat_PRE_FedoraWorkstation_allow {
	}

	chain nat_PRE_FedoraWorkstation_post {
	}

	chain mangle_PRE_FedoraWorkstation {
		jump mangle_PRE_FedoraWorkstation_pre
		jump mangle_PRE_FedoraWorkstation_log
		jump mangle_PRE_FedoraWorkstation_deny
		jump mangle_PRE_FedoraWorkstation_allow
		jump mangle_PRE_FedoraWorkstation_post
	}

	chain mangle_PRE_FedoraWorkstation_pre {
	}

	chain mangle_PRE_FedoraWorkstation_log {
	}

	chain mangle_PRE_FedoraWorkstation_deny {
	}

	chain mangle_PRE_FedoraWorkstation_allow {
	}

	chain mangle_PRE_FedoraWorkstation_post {
	}

	chain filter_IN_policy_allow-host-ipv6 {
		jump filter_IN_policy_allow-host-ipv6_pre
		jump filter_IN_policy_allow-host-ipv6_log
		jump filter_IN_policy_allow-host-ipv6_deny
		jump filter_IN_policy_allow-host-ipv6_allow
		jump filter_IN_policy_allow-host-ipv6_post
	}

	chain filter_IN_policy_allow-host-ipv6_pre {
	}

	chain filter_IN_policy_allow-host-ipv6_log {
	}

	chain filter_IN_policy_allow-host-ipv6_deny {
	}

	chain filter_IN_policy_allow-host-ipv6_allow {
		icmpv6 type nd-neighbor-advert accept
		icmpv6 type nd-neighbor-solicit accept
		icmpv6 type nd-router-advert accept
		icmpv6 type nd-redirect accept
	}

	chain filter_IN_policy_allow-host-ipv6_post {
	}

	chain nat_PRE_policy_allow-host-ipv6 {
		jump nat_PRE_policy_allow-host-ipv6_pre
		jump nat_PRE_policy_allow-host-ipv6_log
		jump nat_PRE_policy_allow-host-ipv6_deny
		jump nat_PRE_policy_allow-host-ipv6_allow
		jump nat_PRE_policy_allow-host-ipv6_post
	}

	chain nat_PRE_policy_allow-host-ipv6_pre {
	}

	chain nat_PRE_policy_allow-host-ipv6_log {
	}

	chain nat_PRE_policy_allow-host-ipv6_deny {
	}

	chain nat_PRE_policy_allow-host-ipv6_allow {
	}

	chain nat_PRE_policy_allow-host-ipv6_post {
	}

	chain mangle_PRE_policy_allow-host-ipv6 {
		jump mangle_PRE_policy_allow-host-ipv6_pre
		jump mangle_PRE_policy_allow-host-ipv6_log
		jump mangle_PRE_policy_allow-host-ipv6_deny
		jump mangle_PRE_policy_allow-host-ipv6_allow
		jump mangle_PRE_policy_allow-host-ipv6_post
	}

	chain mangle_PRE_policy_allow-host-ipv6_pre {
	}

	chain mangle_PRE_policy_allow-host-ipv6_log {
	}

	chain mangle_PRE_policy_allow-host-ipv6_deny {
	}

	chain mangle_PRE_policy_allow-host-ipv6_allow {
	}

	chain mangle_PRE_policy_allow-host-ipv6_post {
	}

	chain filter_IN_docker {
		jump filter_IN_docker_pre
		jump filter_IN_docker_log
		jump filter_IN_docker_deny
		jump filter_IN_docker_allow
		jump filter_IN_docker_post
	}

	chain filter_IN_docker_pre {
	}

	chain filter_IN_docker_log {
	}

	chain filter_IN_docker_deny {
	}

	chain filter_IN_docker_allow {
	}

	chain filter_IN_docker_post {
	}

	chain filter_OUT_docker {
		jump filter_OUT_docker_pre
		jump filter_OUT_docker_log
		jump filter_OUT_docker_deny
		jump filter_OUT_docker_allow
		jump filter_OUT_docker_post
	}

	chain filter_OUT_docker_pre {
	}

	chain filter_OUT_docker_log {
	}

	chain filter_OUT_docker_deny {
	}

	chain filter_OUT_docker_allow {
	}

	chain filter_OUT_docker_post {
	}

	chain nat_OUT_docker {
		jump nat_OUT_docker_pre
		jump nat_OUT_docker_log
		jump nat_OUT_docker_deny
		jump nat_OUT_docker_allow
		jump nat_OUT_docker_post
	}

	chain nat_OUT_docker_pre {
	}

	chain nat_OUT_docker_log {
	}

	chain nat_OUT_docker_deny {
	}

	chain nat_OUT_docker_allow {
	}

	chain nat_OUT_docker_post {
	}

	chain nat_POST_docker {
		jump nat_POST_docker_pre
		jump nat_POST_docker_log
		jump nat_POST_docker_deny
		jump nat_POST_docker_allow
		jump nat_POST_docker_post
	}

	chain nat_POST_docker_pre {
	}

	chain nat_POST_docker_log {
	}

	chain nat_POST_docker_deny {
	}

	chain nat_POST_docker_allow {
	}

	chain nat_POST_docker_post {
	}

	chain filter_FWD_docker {
		jump filter_FWD_docker_pre
		jump filter_FWD_docker_log
		jump filter_FWD_docker_deny
		jump filter_FWD_docker_allow
		jump filter_FWD_docker_post
	}

	chain filter_FWD_docker_pre {
	}

	chain filter_FWD_docker_log {
	}

	chain filter_FWD_docker_deny {
	}

	chain filter_FWD_docker_allow {
		oifname "docker0" accept
	}

	chain filter_FWD_docker_post {
	}

	chain nat_PRE_docker {
		jump nat_PRE_docker_pre
		jump nat_PRE_docker_log
		jump nat_PRE_docker_deny
		jump nat_PRE_docker_allow
		jump nat_PRE_docker_post
	}

	chain nat_PRE_docker_pre {
	}

	chain nat_PRE_docker_log {
	}

	chain nat_PRE_docker_deny {
	}

	chain nat_PRE_docker_allow {
	}

	chain nat_PRE_docker_post {
	}

	chain mangle_PRE_docker {
		jump mangle_PRE_docker_pre
		jump mangle_PRE_docker_log
		jump mangle_PRE_docker_deny
		jump mangle_PRE_docker_allow
		jump mangle_PRE_docker_post
	}

	chain mangle_PRE_docker_pre {
	}

	chain mangle_PRE_docker_log {
	}

	chain mangle_PRE_docker_deny {
	}

	chain mangle_PRE_docker_allow {
	}

	chain mangle_PRE_docker_post {
	}
}
table ip nat {
	chain DOCKER {
		iifname "docker0" counter packets 0 bytes 0 return
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		fib daddr type local counter packets 0 bytes 0 jump DOCKER
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
	}
}
table ip filter {
	chain DOCKER {
	}

	chain DOCKER-ISOLATION-STAGE-1 {
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
		counter packets 0 bytes 0 return
	}

	chain DOCKER-ISOLATION-STAGE-2 {
		oifname "docker0" counter packets 0 bytes 0 drop
		counter packets 0 bytes 0 return
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 jump DOCKER-USER
		counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
		oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
		oifname "docker0" counter packets 0 bytes 0 jump DOCKER
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
		iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
	}

	chain DOCKER-USER {
		counter packets 0 bytes 0 return
	}
}

According to the nftables listing you provided, the DOCKER-USER chain is called early in the main FORWARD chain. By adding -j ACCEPT there, without any conditions, you’ve allowed all packets to be forwarded between all the networks your laptop is connected to (both internal networks [any docker container can now connect to ports/services on any other docker container] and external networks [e.g., another device on your local wired network <eno1> that can see your laptop but witch does not have direct access to your Wi-Fi hotspot can now use your laptop as a “gateway” and connect out to the world-wide-web via your laptop by adding a routing rule such as ip route add default via 192.168.0.1 {assuming your laptop’s address was 192.168.0.1}] ). It’s definitely not ideal. But if you are behind NAT and trust all the other devices on your local network, it might not be the end of the world.

Okay, that doesn’t sound good :slight_smile:

In what way would I be able to restore the original functionality of the WiFi Hotspot that I had before installing Docker without creating serious security risks?

The suggested iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT rule form the Docker website didn’t seem to work …

Like I said, I don’t use Docker, so I don’t know. Also, I don’t know why adding your hotspot would necessitate forwarding packets. I might be able to answer the question if you shared your routing table while the hotspot was connected (i.e., ip route show). But if your computer has a public-facing IP address or something like that, you might not want to share that info. :slightly_smiling_face:

Check the output:

sudo firewall-cmd --get-active-zones; nmcli connection show

Also specify your upstream and downstream interfaces.

1 Like

The interfaces list

FedoraWorkstation (default)
  interfaces: enp14s0f4u2u1u3
docker
  interfaces: docker0
nm-shared
  interfaces: wlp11s0

The nmcli connection lists the hotspot with its UUID and specified as a type of wi-fi. It’s No Device is listed.

The nm-shared has a Rich rule set in the firewalld with all 32767 reject.

My ip route shows an IP addresses related to the wlp11s0 device, firstly an IP with a range of addresses, then an exact id after the src keyword.

The ruleset you posted above has no rules for the wireless interface, which makes it look like your wireless connection is down.

By the way, I have tested your scenario and it works fine for me, so it seems that you are doing something wrong or missing some important details.

Well, the first column in the output from that ip route show command is to match the destination address. Among the networks listed in that first colmun is typically (but not necessarily) the keyword “default” which matches all addresses not otherwise matched by one of the other lines. If that default route isn’t connected to a gateway/router that has access to the internet, then your network packets cannot get out to the world wide web without first going through a “forwarding” rule that allows the packets to pass between the networks. One way (but not necessarily the right or easiest way) you might be able to work around the problem would be to change that “default” routing rule so that packets would try to go through your hotspot directly instead of being forwarded between your configured networks.

It was a fresh Fedora install and then I installed Docker per the instructions. I haven’t touched any of the rulesets at all. I’ve also got VS Code and Steam installed, along with the Input Remapper to map some of my mouse keys. But that’s about it. It’s all just a bit confusing :confused:

WiFi works fine on its own, I can connect to networks normally, though I normally don’t use it since I connect via an Ethernet port.

Have you configured the AP on Fedora with NetworkManager connection sharing?
When you turn on the Wi-Fi hotspot, NetworkManager automatically creates the necessary rules.

I just went into the GNOME settings and enabled the Wi-Fi hotspot.

Also I also probably misread the Docker instruction about the custom iptables rule
iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT – I’ve just pasted it (sorry, I’m not too knowledgeable on networking) - but I’ver eralized that the src_if and dst_if are probably placholders for the source and destination interfaces?

If tht’s the case would the source inteerface be my wired interface (enp…) and the destination my wlp11s0 interface?

That sounds right to me (assuming your “default” route is on your wired interface).

But be aware that that rule would still allow any devices that can connect to your laptop via the wired connection to (potentially) forward packets through your laptop. (But it would not allow your docker containers to connect to one another).

Your ruleset is totally missing the rules for the wireless interface.
NetworkManager creates an additional 50+ rules in my case.
Make sure to turn on the hotspot and then check it again.
If the issue persists, it might be some sort of bug.

Well, it was worth a try, but it doesn’t work :smile:
I’ve put in the original ethernet connection (supplied via USB). Also plugged in my ethernet cable directly to my PC and tried on that interface but it doesn’t work.

You are right. After creating the hotspot, the rules are updated. Sorry about that.

table inet firewalld {
	ct helper helper-netbios-ns-udp {
		type "netbios-ns" protocol udp
		l3proto ip
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority mangle + 10; policy accept;
		jump mangle_PREROUTING_POLICIES
	}

	chain mangle_PREROUTING_POLICIES {
		iifname "eno1" jump mangle_PRE_policy_allow-host-ipv6
		iifname "eno1" jump mangle_PRE_FedoraWorkstation
		iifname "eno1" return
		iifname "enp14s0f4u2u1u3" jump mangle_PRE_policy_allow-host-ipv6
		iifname "enp14s0f4u2u1u3" jump mangle_PRE_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" return
		iifname "docker0" jump mangle_PRE_policy_allow-host-ipv6
		iifname "docker0" jump mangle_PRE_docker
		iifname "docker0" return
		iifname "wlp11s0" jump mangle_PRE_policy_allow-host-ipv6
		iifname "wlp11s0" jump mangle_PRE_nm-shared
		iifname "wlp11s0" return
		jump mangle_PRE_policy_allow-host-ipv6
		jump mangle_PRE_FedoraWorkstation
		return
	}

	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_POLICIES
	}

	chain nat_PREROUTING_POLICIES {
		iifname "eno1" jump nat_PRE_policy_allow-host-ipv6
		iifname "eno1" jump nat_PRE_FedoraWorkstation
		iifname "eno1" return
		iifname "enp14s0f4u2u1u3" jump nat_PRE_policy_allow-host-ipv6
		iifname "enp14s0f4u2u1u3" jump nat_PRE_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" return
		iifname "docker0" jump nat_PRE_policy_allow-host-ipv6
		iifname "docker0" jump nat_PRE_docker
		iifname "docker0" return
		iifname "wlp11s0" jump nat_PRE_policy_allow-host-ipv6
		iifname "wlp11s0" jump nat_PRE_nm-shared
		iifname "wlp11s0" return
		jump nat_PRE_policy_allow-host-ipv6
		jump nat_PRE_FedoraWorkstation
		return
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_POLICIES
	}

	chain nat_POSTROUTING_POLICIES {
		iifname "eno1" oifname "eno1" jump nat_POST_FedoraWorkstation
		iifname "eno1" oifname "eno1" return
		iifname "enp14s0f4u2u1u3" oifname "eno1" jump nat_POST_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" oifname "eno1" return
		iifname "docker0" oifname "eno1" jump nat_POST_FedoraWorkstation
		iifname "docker0" oifname "eno1" return
		iifname "wlp11s0" oifname "eno1" jump nat_POST_FedoraWorkstation
		iifname "wlp11s0" oifname "eno1" return
		oifname "eno1" jump nat_POST_FedoraWorkstation
		oifname "eno1" return
		iifname "eno1" oifname "enp14s0f4u2u1u3" jump nat_POST_FedoraWorkstation
		iifname "eno1" oifname "enp14s0f4u2u1u3" return
		iifname "enp14s0f4u2u1u3" oifname "enp14s0f4u2u1u3" jump nat_POST_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" oifname "enp14s0f4u2u1u3" return
		iifname "docker0" oifname "enp14s0f4u2u1u3" jump nat_POST_FedoraWorkstation
		iifname "docker0" oifname "enp14s0f4u2u1u3" return
		iifname "wlp11s0" oifname "enp14s0f4u2u1u3" jump nat_POST_FedoraWorkstation
		iifname "wlp11s0" oifname "enp14s0f4u2u1u3" return
		oifname "enp14s0f4u2u1u3" jump nat_POST_FedoraWorkstation
		oifname "enp14s0f4u2u1u3" return
		iifname "eno1" oifname "docker0" jump nat_POST_docker
		iifname "eno1" oifname "docker0" return
		iifname "enp14s0f4u2u1u3" oifname "docker0" jump nat_POST_docker
		iifname "enp14s0f4u2u1u3" oifname "docker0" return
		iifname "docker0" oifname "docker0" jump nat_POST_docker
		iifname "docker0" oifname "docker0" return
		iifname "wlp11s0" oifname "docker0" jump nat_POST_docker
		iifname "wlp11s0" oifname "docker0" return
		oifname "docker0" jump nat_POST_docker
		oifname "docker0" return
		iifname "eno1" oifname "wlp11s0" jump nat_POST_nm-shared
		iifname "eno1" oifname "wlp11s0" return
		iifname "enp14s0f4u2u1u3" oifname "wlp11s0" jump nat_POST_nm-shared
		iifname "enp14s0f4u2u1u3" oifname "wlp11s0" return
		iifname "docker0" oifname "wlp11s0" jump nat_POST_nm-shared
		iifname "docker0" oifname "wlp11s0" return
		iifname "wlp11s0" oifname "wlp11s0" jump nat_POST_nm-shared
		iifname "wlp11s0" oifname "wlp11s0" return
		oifname "wlp11s0" jump nat_POST_nm-shared
		oifname "wlp11s0" return
		iifname "eno1" jump nat_POST_FedoraWorkstation
		iifname "eno1" return
		iifname "enp14s0f4u2u1u3" jump nat_POST_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" return
		iifname "docker0" jump nat_POST_FedoraWorkstation
		iifname "docker0" return
		iifname "wlp11s0" jump nat_POST_FedoraWorkstation
		iifname "wlp11s0" return
		jump nat_POST_FedoraWorkstation
		return
	}

	chain nat_OUTPUT {
		type nat hook output priority -90; policy accept;
		jump nat_OUTPUT_POLICIES
	}

	chain nat_OUTPUT_POLICIES {
		oifname "eno1" jump nat_OUT_FedoraWorkstation
		oifname "eno1" return
		oifname "enp14s0f4u2u1u3" jump nat_OUT_FedoraWorkstation
		oifname "enp14s0f4u2u1u3" return
		oifname "docker0" jump nat_OUT_docker
		oifname "docker0" return
		oifname "wlp11s0" jump nat_OUT_nm-shared
		oifname "wlp11s0" return
		jump nat_OUT_FedoraWorkstation
		return
	}

	chain filter_PREROUTING {
		type filter hook prerouting priority filter + 10; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . mark . iif oif missing drop
	}

	chain filter_INPUT {
		type filter hook input priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		jump filter_INPUT_POLICIES
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_FORWARD_POLICIES
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority filter + 10; policy accept;
		ct state { established, related } accept
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_OUTPUT_POLICIES
	}

	chain filter_INPUT_POLICIES {
		iifname "eno1" jump filter_IN_policy_allow-host-ipv6
		iifname "eno1" jump filter_IN_FedoraWorkstation
		iifname "eno1" reject with icmpx admin-prohibited
		iifname "enp14s0f4u2u1u3" jump filter_IN_policy_allow-host-ipv6
		iifname "enp14s0f4u2u1u3" jump filter_IN_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" reject with icmpx admin-prohibited
		iifname "docker0" jump filter_IN_policy_allow-host-ipv6
		iifname "docker0" jump filter_IN_docker
		iifname "docker0" accept
		iifname "wlp11s0" jump filter_IN_policy_allow-host-ipv6
		iifname "wlp11s0" jump filter_IN_nm-shared
		iifname "wlp11s0" accept
		jump filter_IN_policy_allow-host-ipv6
		jump filter_IN_FedoraWorkstation
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD_POLICIES {
		iifname "eno1" oifname "eno1" jump filter_FWD_FedoraWorkstation
		iifname "eno1" oifname "eno1" reject with icmpx admin-prohibited
		iifname "eno1" oifname "enp14s0f4u2u1u3" jump filter_FWD_FedoraWorkstation
		iifname "eno1" oifname "enp14s0f4u2u1u3" reject with icmpx admin-prohibited
		iifname "eno1" oifname "docker0" jump filter_FWD_FedoraWorkstation
		iifname "eno1" oifname "docker0" reject with icmpx admin-prohibited
		iifname "eno1" oifname "wlp11s0" jump filter_FWD_FedoraWorkstation
		iifname "eno1" oifname "wlp11s0" reject with icmpx admin-prohibited
		iifname "eno1" jump filter_FWD_FedoraWorkstation
		iifname "eno1" reject with icmpx admin-prohibited
		iifname "enp14s0f4u2u1u3" oifname "eno1" jump filter_FWD_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" oifname "eno1" reject with icmpx admin-prohibited
		iifname "enp14s0f4u2u1u3" oifname "enp14s0f4u2u1u3" jump filter_FWD_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" oifname "enp14s0f4u2u1u3" reject with icmpx admin-prohibited
		iifname "enp14s0f4u2u1u3" oifname "docker0" jump filter_FWD_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" oifname "docker0" reject with icmpx admin-prohibited
		iifname "enp14s0f4u2u1u3" oifname "wlp11s0" jump filter_FWD_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" oifname "wlp11s0" reject with icmpx admin-prohibited
		iifname "enp14s0f4u2u1u3" jump filter_FWD_FedoraWorkstation
		iifname "enp14s0f4u2u1u3" reject with icmpx admin-prohibited
		iifname "docker0" oifname "eno1" jump filter_FWD_docker
		iifname "docker0" oifname "eno1" accept
		iifname "docker0" oifname "enp14s0f4u2u1u3" jump filter_FWD_docker
		iifname "docker0" oifname "enp14s0f4u2u1u3" accept
		iifname "docker0" oifname "docker0" jump filter_FWD_docker
		iifname "docker0" oifname "docker0" accept
		iifname "docker0" oifname "wlp11s0" jump filter_FWD_docker
		iifname "docker0" oifname "wlp11s0" accept
		iifname "docker0" jump filter_FWD_docker
		iifname "docker0" accept
		iifname "wlp11s0" oifname "eno1" jump filter_FWD_nm-shared
		iifname "wlp11s0" oifname "eno1" accept
		iifname "wlp11s0" oifname "enp14s0f4u2u1u3" jump filter_FWD_nm-shared
		iifname "wlp11s0" oifname "enp14s0f4u2u1u3" accept
		iifname "wlp11s0" oifname "docker0" jump filter_FWD_nm-shared
		iifname "wlp11s0" oifname "docker0" accept
		iifname "wlp11s0" oifname "wlp11s0" jump filter_FWD_nm-shared
		iifname "wlp11s0" oifname "wlp11s0" accept
		iifname "wlp11s0" jump filter_FWD_nm-shared
		iifname "wlp11s0" accept
		oifname "eno1" jump filter_FWD_FedoraWorkstation
		oifname "eno1" reject with icmpx admin-prohibited
		oifname "enp14s0f4u2u1u3" jump filter_FWD_FedoraWorkstation
		oifname "enp14s0f4u2u1u3" reject with icmpx admin-prohibited
		oifname "docker0" jump filter_FWD_FedoraWorkstation
		oifname "docker0" reject with icmpx admin-prohibited
		oifname "wlp11s0" jump filter_FWD_FedoraWorkstation
		oifname "wlp11s0" reject with icmpx admin-prohibited
		jump filter_FWD_FedoraWorkstation
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT_POLICIES {
		oifname "eno1" jump filter_OUT_FedoraWorkstation
		oifname "eno1" return
		oifname "enp14s0f4u2u1u3" jump filter_OUT_FedoraWorkstation
		oifname "enp14s0f4u2u1u3" return
		oifname "docker0" jump filter_OUT_docker
		oifname "docker0" return
		oifname "wlp11s0" jump filter_OUT_nm-shared
		oifname "wlp11s0" return
		jump filter_OUT_FedoraWorkstation
		return
	}

	chain filter_IN_FedoraWorkstation {
		jump filter_IN_FedoraWorkstation_pre
		jump filter_IN_FedoraWorkstation_log
		jump filter_IN_FedoraWorkstation_deny
		jump filter_IN_FedoraWorkstation_allow
		jump filter_IN_FedoraWorkstation_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_FedoraWorkstation_pre {
	}

	chain filter_IN_FedoraWorkstation_log {
	}

	chain filter_IN_FedoraWorkstation_deny {
	}

	chain filter_IN_FedoraWorkstation_allow {
		ip6 daddr fe80::/64 udp dport 546 accept
		tcp dport 22 accept
		udp dport 137 ct helper set "helper-netbios-ns-udp"
		udp dport 137 accept
		udp dport 138 accept
		ip daddr 224.0.0.251 udp dport 5353 accept
		ip6 daddr ff02::fb udp dport 5353 accept
		udp dport 1025-65535 accept
		tcp dport 1025-65535 accept
	}

	chain filter_IN_FedoraWorkstation_post {
	}

	chain filter_OUT_FedoraWorkstation {
		jump filter_OUT_FedoraWorkstation_pre
		jump filter_OUT_FedoraWorkstation_log
		jump filter_OUT_FedoraWorkstation_deny
		jump filter_OUT_FedoraWorkstation_allow
		jump filter_OUT_FedoraWorkstation_post
	}

	chain filter_OUT_FedoraWorkstation_pre {
	}

	chain filter_OUT_FedoraWorkstation_log {
	}

	chain filter_OUT_FedoraWorkstation_deny {
	}

	chain filter_OUT_FedoraWorkstation_allow {
	}

	chain filter_OUT_FedoraWorkstation_post {
	}

	chain nat_OUT_FedoraWorkstation {
		jump nat_OUT_FedoraWorkstation_pre
		jump nat_OUT_FedoraWorkstation_log
		jump nat_OUT_FedoraWorkstation_deny
		jump nat_OUT_FedoraWorkstation_allow
		jump nat_OUT_FedoraWorkstation_post
	}

	chain nat_OUT_FedoraWorkstation_pre {
	}

	chain nat_OUT_FedoraWorkstation_log {
	}

	chain nat_OUT_FedoraWorkstation_deny {
	}

	chain nat_OUT_FedoraWorkstation_allow {
	}

	chain nat_OUT_FedoraWorkstation_post {
	}

	chain nat_POST_FedoraWorkstation {
		jump nat_POST_FedoraWorkstation_pre
		jump nat_POST_FedoraWorkstation_log
		jump nat_POST_FedoraWorkstation_deny
		jump nat_POST_FedoraWorkstation_allow
		jump nat_POST_FedoraWorkstation_post
	}

	chain nat_POST_FedoraWorkstation_pre {
	}

	chain nat_POST_FedoraWorkstation_log {
	}

	chain nat_POST_FedoraWorkstation_deny {
	}

	chain nat_POST_FedoraWorkstation_allow {
	}

	chain nat_POST_FedoraWorkstation_post {
	}

	chain filter_FWD_FedoraWorkstation {
		jump filter_FWD_FedoraWorkstation_pre
		jump filter_FWD_FedoraWorkstation_log
		jump filter_FWD_FedoraWorkstation_deny
		jump filter_FWD_FedoraWorkstation_allow
		jump filter_FWD_FedoraWorkstation_post
	}

	chain filter_FWD_FedoraWorkstation_pre {
	}

	chain filter_FWD_FedoraWorkstation_log {
	}

	chain filter_FWD_FedoraWorkstation_deny {
	}

	chain filter_FWD_FedoraWorkstation_allow {
		oifname "enp14s0f4u2u1u3" accept
		oifname "eno1" accept
	}

	chain filter_FWD_FedoraWorkstation_post {
	}

	chain nat_PRE_FedoraWorkstation {
		jump nat_PRE_FedoraWorkstation_pre
		jump nat_PRE_FedoraWorkstation_log
		jump nat_PRE_FedoraWorkstation_deny
		jump nat_PRE_FedoraWorkstation_allow
		jump nat_PRE_FedoraWorkstation_post
	}

	chain nat_PRE_FedoraWorkstation_pre {
	}

	chain nat_PRE_FedoraWorkstation_log {
	}

	chain nat_PRE_FedoraWorkstation_deny {
	}

	chain nat_PRE_FedoraWorkstation_allow {
	}

	chain nat_PRE_FedoraWorkstation_post {
	}

	chain mangle_PRE_FedoraWorkstation {
		jump mangle_PRE_FedoraWorkstation_pre
		jump mangle_PRE_FedoraWorkstation_log
		jump mangle_PRE_FedoraWorkstation_deny
		jump mangle_PRE_FedoraWorkstation_allow
		jump mangle_PRE_FedoraWorkstation_post
	}

	chain mangle_PRE_FedoraWorkstation_pre {
	}

	chain mangle_PRE_FedoraWorkstation_log {
	}

	chain mangle_PRE_FedoraWorkstation_deny {
	}

	chain mangle_PRE_FedoraWorkstation_allow {
	}

	chain mangle_PRE_FedoraWorkstation_post {
	}

	chain filter_IN_policy_allow-host-ipv6 {
		jump filter_IN_policy_allow-host-ipv6_pre
		jump filter_IN_policy_allow-host-ipv6_log
		jump filter_IN_policy_allow-host-ipv6_deny
		jump filter_IN_policy_allow-host-ipv6_allow
		jump filter_IN_policy_allow-host-ipv6_post
	}

	chain filter_IN_policy_allow-host-ipv6_pre {
	}

	chain filter_IN_policy_allow-host-ipv6_log {
	}

	chain filter_IN_policy_allow-host-ipv6_deny {
	}

	chain filter_IN_policy_allow-host-ipv6_allow {
		icmpv6 type nd-neighbor-advert accept
		icmpv6 type nd-neighbor-solicit accept
		icmpv6 type nd-router-advert accept
		icmpv6 type nd-redirect accept
	}

	chain filter_IN_policy_allow-host-ipv6_post {
	}

	chain nat_PRE_policy_allow-host-ipv6 {
		jump nat_PRE_policy_allow-host-ipv6_pre
		jump nat_PRE_policy_allow-host-ipv6_log
		jump nat_PRE_policy_allow-host-ipv6_deny
		jump nat_PRE_policy_allow-host-ipv6_allow
		jump nat_PRE_policy_allow-host-ipv6_post
	}

	chain nat_PRE_policy_allow-host-ipv6_pre {
	}

	chain nat_PRE_policy_allow-host-ipv6_log {
	}

	chain nat_PRE_policy_allow-host-ipv6_deny {
	}

	chain nat_PRE_policy_allow-host-ipv6_allow {
	}

	chain nat_PRE_policy_allow-host-ipv6_post {
	}

	chain mangle_PRE_policy_allow-host-ipv6 {
		jump mangle_PRE_policy_allow-host-ipv6_pre
		jump mangle_PRE_policy_allow-host-ipv6_log
		jump mangle_PRE_policy_allow-host-ipv6_deny
		jump mangle_PRE_policy_allow-host-ipv6_allow
		jump mangle_PRE_policy_allow-host-ipv6_post
	}

	chain mangle_PRE_policy_allow-host-ipv6_pre {
	}

	chain mangle_PRE_policy_allow-host-ipv6_log {
	}

	chain mangle_PRE_policy_allow-host-ipv6_deny {
	}

	chain mangle_PRE_policy_allow-host-ipv6_allow {
	}

	chain mangle_PRE_policy_allow-host-ipv6_post {
	}

	chain filter_IN_docker {
		jump filter_IN_docker_pre
		jump filter_IN_docker_log
		jump filter_IN_docker_deny
		jump filter_IN_docker_allow
		jump filter_IN_docker_post
	}

	chain filter_IN_docker_pre {
	}

	chain filter_IN_docker_log {
	}

	chain filter_IN_docker_deny {
	}

	chain filter_IN_docker_allow {
	}

	chain filter_IN_docker_post {
	}

	chain filter_OUT_docker {
		jump filter_OUT_docker_pre
		jump filter_OUT_docker_log
		jump filter_OUT_docker_deny
		jump filter_OUT_docker_allow
		jump filter_OUT_docker_post
	}

	chain filter_OUT_docker_pre {
	}

	chain filter_OUT_docker_log {
	}

	chain filter_OUT_docker_deny {
	}

	chain filter_OUT_docker_allow {
	}

	chain filter_OUT_docker_post {
	}

	chain nat_OUT_docker {
		jump nat_OUT_docker_pre
		jump nat_OUT_docker_log
		jump nat_OUT_docker_deny
		jump nat_OUT_docker_allow
		jump nat_OUT_docker_post
	}

	chain nat_OUT_docker_pre {
	}

	chain nat_OUT_docker_log {
	}

	chain nat_OUT_docker_deny {
	}

	chain nat_OUT_docker_allow {
	}

	chain nat_OUT_docker_post {
	}

	chain nat_POST_docker {
		jump nat_POST_docker_pre
		jump nat_POST_docker_log
		jump nat_POST_docker_deny
		jump nat_POST_docker_allow
		jump nat_POST_docker_post
	}

	chain nat_POST_docker_pre {
	}

	chain nat_POST_docker_log {
	}

	chain nat_POST_docker_deny {
	}

	chain nat_POST_docker_allow {
	}

	chain nat_POST_docker_post {
	}

	chain filter_FWD_docker {
		jump filter_FWD_docker_pre
		jump filter_FWD_docker_log
		jump filter_FWD_docker_deny
		jump filter_FWD_docker_allow
		jump filter_FWD_docker_post
	}

	chain filter_FWD_docker_pre {
	}

	chain filter_FWD_docker_log {
	}

	chain filter_FWD_docker_deny {
	}

	chain filter_FWD_docker_allow {
		oifname "docker0" accept
	}

	chain filter_FWD_docker_post {
	}

	chain nat_PRE_docker {
		jump nat_PRE_docker_pre
		jump nat_PRE_docker_log
		jump nat_PRE_docker_deny
		jump nat_PRE_docker_allow
		jump nat_PRE_docker_post
	}

	chain nat_PRE_docker_pre {
	}

	chain nat_PRE_docker_log {
	}

	chain nat_PRE_docker_deny {
	}

	chain nat_PRE_docker_allow {
	}

	chain nat_PRE_docker_post {
	}

	chain mangle_PRE_docker {
		jump mangle_PRE_docker_pre
		jump mangle_PRE_docker_log
		jump mangle_PRE_docker_deny
		jump mangle_PRE_docker_allow
		jump mangle_PRE_docker_post
	}

	chain mangle_PRE_docker_pre {
	}

	chain mangle_PRE_docker_log {
	}

	chain mangle_PRE_docker_deny {
	}

	chain mangle_PRE_docker_allow {
	}

	chain mangle_PRE_docker_post {
	}

	chain filter_IN_nm-shared {
		jump filter_IN_nm-shared_pre
		jump filter_IN_nm-shared_log
		jump filter_IN_nm-shared_deny
		jump filter_IN_nm-shared_allow
		jump filter_IN_nm-shared_post
	}

	chain filter_IN_nm-shared_pre {
	}

	chain filter_IN_nm-shared_log {
	}

	chain filter_IN_nm-shared_deny {
	}

	chain filter_IN_nm-shared_allow {
		udp dport 67 accept
		tcp dport 53 accept
		udp dport 53 accept
		tcp dport 22 accept
		meta l4proto icmp accept
		meta l4proto ipv6-icmp accept
	}

	chain filter_IN_nm-shared_post {
		reject
	}

	chain filter_OUT_nm-shared {
		jump filter_OUT_nm-shared_pre
		jump filter_OUT_nm-shared_log
		jump filter_OUT_nm-shared_deny
		jump filter_OUT_nm-shared_allow
		jump filter_OUT_nm-shared_post
	}

	chain filter_OUT_nm-shared_pre {
	}

	chain filter_OUT_nm-shared_log {
	}

	chain filter_OUT_nm-shared_deny {
	}

	chain filter_OUT_nm-shared_allow {
	}

	chain filter_OUT_nm-shared_post {
	}

	chain nat_OUT_nm-shared {
		jump nat_OUT_nm-shared_pre
		jump nat_OUT_nm-shared_log
		jump nat_OUT_nm-shared_deny
		jump nat_OUT_nm-shared_allow
		jump nat_OUT_nm-shared_post
	}

	chain nat_OUT_nm-shared_pre {
	}

	chain nat_OUT_nm-shared_log {
	}

	chain nat_OUT_nm-shared_deny {
	}

	chain nat_OUT_nm-shared_allow {
	}

	chain nat_OUT_nm-shared_post {
	}

	chain nat_POST_nm-shared {
		jump nat_POST_nm-shared_pre
		jump nat_POST_nm-shared_log
		jump nat_POST_nm-shared_deny
		jump nat_POST_nm-shared_allow
		jump nat_POST_nm-shared_post
	}

	chain nat_POST_nm-shared_pre {
	}

	chain nat_POST_nm-shared_log {
	}

	chain nat_POST_nm-shared_deny {
	}

	chain nat_POST_nm-shared_allow {
	}

	chain nat_POST_nm-shared_post {
	}

	chain filter_FWD_nm-shared {
		jump filter_FWD_nm-shared_pre
		jump filter_FWD_nm-shared_log
		jump filter_FWD_nm-shared_deny
		jump filter_FWD_nm-shared_allow
		jump filter_FWD_nm-shared_post
	}

	chain filter_FWD_nm-shared_pre {
	}

	chain filter_FWD_nm-shared_log {
	}

	chain filter_FWD_nm-shared_deny {
	}

	chain filter_FWD_nm-shared_allow {
	}

	chain filter_FWD_nm-shared_post {
	}

	chain nat_PRE_nm-shared {
		jump nat_PRE_nm-shared_pre
		jump nat_PRE_nm-shared_log
		jump nat_PRE_nm-shared_deny
		jump nat_PRE_nm-shared_allow
		jump nat_PRE_nm-shared_post
	}

	chain nat_PRE_nm-shared_pre {
	}

	chain nat_PRE_nm-shared_log {
	}

	chain nat_PRE_nm-shared_deny {
	}

	chain nat_PRE_nm-shared_allow {
	}

	chain nat_PRE_nm-shared_post {
	}

	chain mangle_PRE_nm-shared {
		jump mangle_PRE_nm-shared_pre
		jump mangle_PRE_nm-shared_log
		jump mangle_PRE_nm-shared_deny
		jump mangle_PRE_nm-shared_allow
		jump mangle_PRE_nm-shared_post
	}

	chain mangle_PRE_nm-shared_pre {
	}

	chain mangle_PRE_nm-shared_log {
	}

	chain mangle_PRE_nm-shared_deny {
	}

	chain mangle_PRE_nm-shared_allow {
	}

	chain mangle_PRE_nm-shared_post {
	}
}
table ip nat {
	chain DOCKER {
		iifname "docker0" counter packets 0 bytes 0 return
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		fib daddr type local counter packets 12 bytes 790 jump DOCKER
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
	}
}
table ip filter {
	chain DOCKER {
	}

	chain DOCKER-ISOLATION-STAGE-1 {
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
		counter packets 119 bytes 7140 return
	}

	chain DOCKER-ISOLATION-STAGE-2 {
		oifname "docker0" counter packets 0 bytes 0 drop
		counter packets 0 bytes 0 return
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 119 bytes 7140 jump DOCKER-USER
		counter packets 119 bytes 7140 jump DOCKER-ISOLATION-STAGE-1
		oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
		oifname "docker0" counter packets 0 bytes 0 jump DOCKER
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
		iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
	}

	chain DOCKER-USER {
		iifname "eno1" oifname "wlp11s0" counter packets 0 bytes 0 accept
		iifname "enp14s0f4u2u1u3" oifname "wlp11s0" counter packets 0 bytes 0 accept
		counter packets 119 bytes 7140 return
	}
}
table ip nm-shared-wlp11s0 {
	chain nat_postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.42.0.0/24 ip daddr != 10.42.0.0/24 masquerade
	}

	chain filter_forward {
		type filter hook forward priority filter; policy accept;
		ip daddr 10.42.0.0/24 oifname "wlp11s0" ct state { established, related } accept
		ip saddr 10.42.0.0/24 iifname "wlp11s0" accept
		iifname "wlp11s0" oifname "wlp11s0" accept
		iifname "wlp11s0" reject
		oifname "wlp11s0" reject
	}
}

Is the ruleset sensistive from a security standpoint? Should I be worried about leaking any information by posting it? Well, now it’s already been posted, but if that’s the case, should I change something?