How to install nxfilter and pihole with docker


Feature request: NxFilter for NethServer

This howto is for testing the DNS webfilters. Do not use in production.
Maybe we could improve it together. Please test and give feedback…


Get docker repo and install and enable nethserver-docker:

cd ~
wget -O /etc/yum.repos.d/docker-ce.repo
yum -y install
config setprop docker status enabled
signal-event nethserver-docker-update


For testing purposes I decided to open the docker network by policy. In a production environment you should leave this step and set firewall rules.

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/policy
cp /etc/e-smith/templates/etc/shorewall/policy/35aqua /etc/e-smith/templates-custom/etc/shorewall/policy/
cat << 'EOF' > /etc/e-smith/templates-custom/etc/shorewall/policy/35aqua
# 35aqua -- the Docker network policy
aqua net ACCEPT
loc aqua ACCEPT
signal-event firewall-adjust

Download and start containers

Install nxfilter and/or pihole to test them.
Edit TZ=Europe/Vienna to match your timezone:


docker run -d --name nxfilter -v nxfilter-conf:/nxfilter/conf -v nxfilter-log:/nxfilter/log -v nxfilter-db:/nxfilter/db -e TZ=Europe/Vienna --net=aqua --restart=unless-stopped packetworks/nxfilter-base:latest


docker run -d --name pihole -e TZ="Europe/Vienna" -e WEBPASSWORD="admin" -v "$(pwd)/etc-pihole/:/etc/pihole/" -v "$(pwd)/etc-dnsmasq.d/:/etc/dnsmasq.d/" --cap-add NET_ADMIN --net=aqua --restart=unless-stopped pihole/pihole:latest


Browse to https://YOURNETH:980/portainer, setup admin username/password and select Local.
Now you can manage the containers via web UI.

Check the IPs of your machines, if you installed in a different order they may differ. In this howto is the nxfilter, is the pihole.

General rules for adding more docker containers

  • don’t publish ports
  • put the containers to aqua network
  • set restart to policy to unless-stopped



Browse to and login with admin, password: admin

You may need to set upstream DNS:


NxFilter supports LDAP/AD and much more…


Browse to and login with password: admin

You may need to set upstream DNS:


Clients use filter DNS

The clients use the DNS server of a webfilter. They may get the DNS server to use from Nethserver DHCP.
This webfilter uses the Nethserver as upstream DNS.
The Nethserver uses an outside upstream DNS like (google).
This way the filter gets the client IP and you can see it in the logs. Nxfilter for instance can map the IP to AD/LDAP users.

Nethserver uses webfilter as upstream DNS

In this case the filter only gets the IP of the Nethserver and has no information who is surfing but blocks ads and more.

Clients use Nethserver proxy

You need to set the Nethserver upstream DNS to one of the filters. Now when clients use the proxy the DNS filter is involved.


You may use more filters for testing. One filter uses the next one as upstream DNS. The last filter uses Nethserver as upstream DNS.


  • Testing
  • More secure firewall
  • Using rootless podman containers - I already tried but no success

Bring to this man a medal! And a beer, of course.


Good afternoon,

I was playing around with Guacamole and ran into problems trying to deploy nethserver-docker on a fresh NS demo. Installng the nethserver-docker via yum install --enablerepo=nethforge-testing nethserver-docker resulted in the following error:


[root@nethdemo ~]# yum install --enablerepo=nethforge-testing nethserver-docker
Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile

I also noted that yum install of results in a failed connection. Am i missing something?

Sorry, I was testing. It should work now again, please try.
Alternatively you may download my new repo located on another server where I do no testing:

yum -y install