I started using rootless podman on a Debian 13 server recently, and to work around the problem of not being able to bind services to port 80 and 443 anymore, I’ve made some nftables rules on the host (in an nftables.conf file) to redirect traffic from those ports to 10080 and 10443 respectively, and those are what my services get bound to. The prerouting chain handles traffic from other devices, and the output chain works for traffic from the host itself, with daddr + the host’s IP added to the rules to make sure traffic to external hosts isn’t affected.
#!/usr/sbin/nft -f
flush ruleset
table inet firewall {
chain inbound {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain outbound {
type filter hook output priority 0; policy accept;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport 80 redirect to 10080
tcp dport 443 redirect to 10443
}
chain output {
type nat hook output priority -100; policy accept;
ip daddr 192.168.0.100 tcp dport 80 redirect to 10080
ip daddr 192.168.0.100 tcp dport 443 redirect to 10443
}
}
My problem is that these rules don’t apply to traffic from inside podman containers, and as such, they can’t really talk to each other predictably. My test case is curling the web address of one container’s service from a shell inside the other.
Most of my nftables rules are very permissive to minimise problems, and I’ve made sure net.ipv4.ip_forward is enabled on the host as well.
