[lxc-users] Filtering container traffic with iptables on host

[Björn Fischer]

Hello,

> Containers are like separate machines and can be managed as such.
> If each container has an IP address, why can't you hide them behind
> the host via NAT and manage connections to them in iptables' FORWARD
> chain.

I already tested that setup and it seems to work. But for now I am still
trying to achieve my goal without the complexity of NAT (and lxdbr0). If
it wasn't for ipfilter issue, macvlan fits perfectly or use case.

> Alternatively, you can create an iptables ruleset on the host
> and mount it inside a container. For instance, in archlinux the
> mountpoint will be rootfs/etc/iptables/iptables.rules and in fedora
> -- rootfs/etc/sysconfig/iptables. Of course, this is assuming default
> service/init script. If you are still interested, I can explain in
> more detail how we manage containers here...

That won't be applicable here. We need to deploy unprivileged containers
with delegated root privileges, so basically we do not trust anything
inside containers. Not that we don't trust our customers, we just cannot
expect that they attend as much to security while setting up their
servers, pipelines, and workflows as we do. So, containment is the most
important requirement for our setup. And that's why NAT/lxdbr0 still is
on our radar.

Thank you for your input.

Björn