[lxc-users] firewall per sandbox

Stéphane Graber stgraber at ubuntu.com
Wed Jun 4 21:19:02 UTC 2014


On Wed, Jun 04, 2014 at 02:14:30PM -0700, Vijay Viswanathan wrote:
> Hi,
> What is the best way to implement a firewall in a container ?
> Currently, Iam thinking of associating an interface ( lets say veth21) to a
> container and apply iptable rules on that interface.
> veth21 will be bridged to host interface.

You can indeed do that, or just do iptables in the container or if you
have the net_cls cgroup enabled in your kernel, set net_cls.classid so
that all packets coming from processes running in the container are
automatically tagged for processing in netfilter (see
https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt).

> 
> This way I can filter traffic going in/out host network.
> 
> Please comment.
> 
> Thx.

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140604/d91b3b99/attachment.sig>


More information about the lxc-users mailing list