Over the past week or so, I’ve been trying out using Docker to deploy a Django site on a VPS. My preferred setup for that is to have Caddy running on the host, not in any container, as a reverse proxy. (It’s a single, static binary; I don’t see any joy in wrapping that in a container.) In the past when I’ve hosted similar things, I just ran gunicorn in a python virtualenv on the host as well, and bound it to the loopback.
Yep, this sort of stuff happens and is extremely annoying. Libvirtd will do it for VM networking by default too.
The solution at the intersection of easy to implement and reliable is to just use nftables instead of iptables. Then, the extra rules automatically added by tools are usually much more predictable and easier to integrate with your own rules. Briefly, if nftables is enabled, most tools that mess with the firewall will create a new table inside of nftables with a lower-than-default priority, so that if you have your own custom table set up, the new rules won’t interfere with it. (That being said, it is possible that your higher-priority table will cause the automatically added rules not to behave as intended, in which case you may need to add more rules to your manually added table. But manual rules breaking automatic ones is better than automatic rules breaking manual ones imo).
Yep, this sort of stuff happens and is extremely annoying. Libvirtd will do it for VM networking by default too.
The solution at the intersection of easy to implement and reliable is to just use
nftablesinstead ofiptables. Then, the extra rules automatically added by tools are usually much more predictable and easier to integrate with your own rules. Briefly, ifnftablesis enabled, most tools that mess with the firewall will create a new table inside ofnftableswith a lower-than-default priority, so that if you have your own custom table set up, the new rules won’t interfere with it. (That being said, it is possible that your higher-priority table will cause the automatically added rules not to behave as intended, in which case you may need to add more rules to your manually added table. But manual rules breaking automatic ones is better than automatic rules breaking manual ones imo).