Ganzjahresgriller , yes it does.
Below is the config:
# NAT table for Docker container internet access
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
# Masquerade all traffic from Docker’s mailcow bridge subnet going out any interface except Docker bridge
oifname != "br-mailcow" ip saddr 172.22.1.0/24 masquerade
}
}
# `inet` applies to both IPv4 and IPv6.
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
# no ping floods:
ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
ct state established,related accept
# accept ICMP & IGMP
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
ip protocol igmp accept
tcp dport {22, 80, 443, 25, 465, 587, 110, 995, 143, 993, 5380, 4190} accept
counter drop
}
chain output {
type filter hook output priority 0;
policy accept;
}
chain forward {
type filter hook forward priority 0;
policy drop;
iifname "br-mailcow" oifname != "br-mailcow" ip saddr 172.22.1.0/24 accept
iifname != "br-mailcow" oifname "br-mailcow" ip daddr 172.22.1.0/24 ct state related,established accept
}
}