[lxc-users] Router inside LXC with "lxc.network.type = phys" to the WAN-port

Leonid Isaev lisaev at umail.iu.edu
Thu Jan 30 17:52:09 UTC 2014


On Thu, 30 Jan 2014 11:21:12 +0100
Thomas Huber <miraculli at gmail.com> wrote:

> Hi out there,
> 
> is it a good idea to setup a kind of virtual router inside a LXC?
> I got a server with dual 1Gbit Nic and the server should run several
> services. I also would like to use it as a router and a thought it would be
> quite nice to set it up inside a LXC by mapping the WAN-port with
> "lxc.network.type = phys“ to the Container. 
>
> first of all: is this a good idea?
> 

So, 1st NIC is WAN and another is LAN? Then you'll have to create a bridge on
the host, add the LAN inteface to it (and whatever VM interfaces), and tell the
container to route traffic between WAN and this bridge. Is that what you want
to do?

This is doable (I need to think about how to best accomplish this), albeit
rather complex (and complexity is bad for security). Note that router itself is
in principle unbreakable because the only services it runs is dnsmasq/dhcpd and
ssh which can be locked down. So, if you are trying to protect the host, you
won't accomplish much. OTOH, what if there is a problem with LXC
userspace/kernel components which prevent containers from starting?

Therefore I'd avoid complexity and do the routing in the host, while putting
other services in containers/VMs. At least that is the setup I converged to
after lots of trials and errors.

HTH,
L.

> second: is it possible to do all the firewalling inside the LXC or is it
> better (more secure) to do this at the host?
> 
> Thanks and all the best
> mirac
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



-- 
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140130/af371213/attachment.pgp>


More information about the lxc-users mailing list