[Lxc-users] lxc-stop make Kernel crashing

Admin (LibrA-LinuX) admin at libra-linux.com
Mon Oct 17 05:53:01 UTC 2011 

It seems that the kernel crash comes from only the iptables rules using 
"recent" module. (rules in the conainers)
Since i removed the -m recent rules , i did not succeed to reproduce the 
kernel hang.

Thanks Jean-Marc for your firewall rules. My question was not about the 
iptables rules, but regarding the isolation
of syslog and my LOG rules insides containers. Actually all containers 
LOG rules are logging packets of their own containers
as usual, the problem comes that the syslog host intercept too the log 
packets.

Thanks for you support.


Le 17/10/11 07:17, LACROIX Jean Marc a écrit :
>> Date: Fri, 14 Oct 2011 17:35:02 +0200
>> From: Admin<admin at libra-linux.com>
>> Subject: [Lxc-users] lxc-stop make Kernel crashing
>> To: lxc-users at lists.sourceforge.net
>> Message-ID:<4E9856A6.70605 at libra-linux.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>> Another question, anybody implement iptables inside containers and could
>> give me advices configuring LOG chain or rsyslog inside container to
>> isolate iptables kernel log message from the hypervisor ?
>>
> Tony,
> Please find one firewall example running in a container.
> Step 0: all chain must be in DROP condition as a default case...
>     in my case, for the FORWARD chain...
>
>    /sbin/iptables \
>                --table filter \
>                --policy FORWARD DROP
>
> step 1: in the last table before, insert a rule in order to drop traffic
> in the log, and never forget to limit total number of packet (!)
>    /sbin/iptables \
>                --table filter \
>                --append FORWARD \
>                --jump LOG \
>                --log-prefix "gateway-3: DROP " \
>                --match limit \
>                --limit 4/second \
>                --limit-burst 5
>
> step 2: in the last chain, insert a SROP condition
>       /sbin/iptables \
>                --table filter \
>                --append FORWARD \
>                --jump DROP
>
>
> root at gateway-3:~# iptables --verbose --line-numbers --list FORWARD
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> num   pkts bytes target     prot opt in     out     source
>    destination
> ..............
> 13       0     0 ACCEPT     tcp  --  eth3   eth2    192.168.22.0/24
>    anywhere            tcp dpt:www
> 14       0     0 ACCEPT     tcp  --  eth2   eth3    anywhere
>    192.168.22.0/24     tcp spt:www
> 15    1779  364K LOG        all  --  any    any     anywhere
>    anywhere            limit: avg 4/sec burst 5 LOG level warning prefix
> `gateway-3: DROP '
> 16    1784  365K DROP       all  --  any    any     anywhere
>    anywhere
>
>
> Regards
>

More information about the lxc-users mailing list