[lxc-devel] [lxd/master] firewalld & lxd : how to let Firewalld control the LXD's iptables rules
kerphi on Github
lxc-bot at linuxcontainers.org
Thu Apr 16 07:36:36 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 384 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200416/16af8990/attachment.bin>
-------------- next part --------------
From 030d20c307eae574d2fc4656d2f61baf0f65a09a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Gully?= <stephane.gully at gmail.com>
Date: Thu, 16 Apr 2020 09:36:16 +0200
Subject: [PATCH] firewalld & lxd : how to let Firewalld control the LXD's
iptables rules
this is related to https://github.com/lxc/lxd/pull/7195 but this a bit more generic
---
doc/networks.md | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/doc/networks.md b/doc/networks.md
index af5b7a5dc2..d0283b79ba 100644
--- a/doc/networks.md
+++ b/doc/networks.md
@@ -164,3 +164,32 @@ firewall-cmd --zone=trusted --change-interface=lxdbr0 --permanent
```
This will then allow LXD's own firewall rules to take effect.
+
+
+## How to let Firewalld control the LXD's iptables rules
+
+When using firewalld and LXD together, iptables rules can overlaps. For example, firewalld could erase LXD iptables rules if it is started after LXD daemon, then LXD container will not be able to do any oubound internet access.
+On way to fix it is to delegate to firewalld the LXD's iptables rules and to disable the LXD ones.
+
+First step is to [allow DNS and DHCP](#allow-dhcp-dns-with-firewalld).
+
+Then to tell to LXD totally stop to set iptables rules (because firewalld will do it):
+```
+lxc network set lxdbr0 ipv4.nat false
+lxc network set lxdbr0 ipv6.nat false
+lxc network set lxdbr0 ipv6.firewall false
+lxc network set lxdbr0 ipv4.firewall false
+```
+
+Finally, to enable iptables firewalld's rules for LXD usecase (in this example, I supose the bridge interface is `lxdbr0` and the associated IP range is `10.0.0.0/24`:
+```
+firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -i lxdbr0 -s 10.0.0.0/24 -m comment --comment "generated by firewalld for LXD" -j ACCEPT
+firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lxdbr0 -d 10.0.0.0/24 -m comment --comment "generated by firewalld for LXD" -j ACCEPT
+firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i lxdbr0 -s 10.0.0.0/24 -m comment --comment "generated by firewalld for LXD" -j ACCEPT
+firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.0.0.0/24 ! -d 10.0.0.0/24 -m comment --comment "generated by firewalld for LXD" -j MASQUERADE
+firewall-cmd --reload
+```
+To check the rules are taken into account by firewalld:
+```
+firewall-cmd --direct --get-all-rules
+```
More information about the lxc-devel
mailing list