[lxc-users] firewall per sandbox
Stéphane Graber
stgraber at ubuntu.com
Wed Jun 4 21:19:02 UTC 2014
On Wed, Jun 04, 2014 at 02:14:30PM -0700, Vijay Viswanathan wrote:
> Hi,
> What is the best way to implement a firewall in a container ?
> Currently, Iam thinking of associating an interface ( lets say veth21) to a
> container and apply iptable rules on that interface.
> veth21 will be bridged to host interface.
You can indeed do that, or just do iptables in the container or if you
have the net_cls cgroup enabled in your kernel, set net_cls.classid so
that all packets coming from processes running in the container are
automatically tagged for processing in netfilter (see
https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt).
>
> This way I can filter traffic going in/out host network.
>
> Please comment.
>
> Thx.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140604/d91b3b99/attachment.sig>
More information about the lxc-users
mailing list