mikael-lovqvists-claude-agent
2c8d1a1adb
README covers the three-part firewall setup (daemon.json, Docker network subnet, nftables) with permalinks to avoid line drift. todo.md tracks documentation still to be written. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude Code Docker Setup
A Docker setup for running Claude Code. Note that the firewall is not configured by just using this repo — additional host-level setup is required to isolate the container from your LAN.
Firewall setup
Firewall isolation requires three pieces working together:
1. Docker daemon config — etc_conf/daemon.json
Restricts the address pool Docker uses for automatic network assignment to 172.16.0.0/13. This prevents Docker from accidentally assigning the 172.28.x.x range used by the Claude container to other networks.
Place at /etc/docker/daemon.json and restart Docker.
2. docker-compose.yml network — the container is placed on 172.28.0.0/24, which is outside the auto-assign pool above, giving it a known, stable subnet.
3. nftables rules — etc_conf/nftables.conf
Drops forwarded traffic from the Docker address range (172.16.0.0/12, which covers 172.28.x.x) destined for your LAN. The relevant rule is line 31:
ip saddr 172.16.0.0/12 ip daddr 192.168.0.0/16 drop
Make sure your LAN subnet is covered by the destination range here. If your LAN uses a different range (e.g. 10.0.0.0/8), you need to add a corresponding rule.
Place at /etc/nftables.conf and enable/reload nftables.