[lxc-users] Router inside LXC with "lxc.network.type = phys" to the WAN-port

Thomas Huber miraculli at gmail.com
Fri Jan 31 11:26:30 UTC 2014 

Am 30.01.2014 um 18:52 schrieb Leonid Isaev <lisaev at umail.iu.edu>:

> On Thu, 30 Jan 2014 11:21:12 +0100
> Thomas Huber <miraculli at gmail.com> wrote:
> 
>> Hi out there,
>> 
>> is it a good idea to setup a kind of virtual router inside a LXC?
>> I got a server with dual 1Gbit Nic and the server should run several
>> services. I also would like to use it as a router and a thought it would be
>> quite nice to set it up inside a LXC by mapping the WAN-port with
>> "lxc.network.type = phys“ to the Container. 
>> 
>> first of all: is this a good idea?
>> 
> 
> So, 1st NIC is WAN and another is LAN? Then you'll have to create a bridge on
> the host, add the LAN inteface to it (and whatever VM interfaces), and tell the
> container to route traffic between WAN and this bridge. Is that what you want
> to do?

Yes, thats the idea.

> 
> This is doable (I need to think about how to best accomplish this), albeit
> rather complex (and complexity is bad for security). Note that router itself is
> in principle unbreakable because the only services it runs is dnsmasq/dhcpd and
> ssh which can be locked down. So, if you are trying to protect the host, you
> won't accomplish much. OTOH, what if there is a problem with LXC
> userspace/kernel components which prevent containers from starting?
> 
> Therefore I'd avoid complexity and do the routing in the host, while putting
> other services in containers/VMs. At least that is the setup I converged to
> after lots of trials and errors.

I see your point and thats why I´m asking.
The Idea was not only to protect the host but also the other running service / VMs:
- KVM with Window2008R2 an MS-SQL running inside
- a service for Wifi-Managment with multiple accesspoint running inside JVM
- samba

would your start the services just with lxc-execute or setup a complete container?

> 
> HTH,
> L.
> 
>> second: is it possible to do all the firewalling inside the LXC or is it
>> better (more secure) to do this at the host?
>> 
>> Thanks and all the best
>> mirac
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> 
> 
> -- 
> Leonid Isaev
> GnuPG key: 0x164B5A6D
> Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list