[lxc-users] lxc-security: iptables audit with nflog not working with default settings (insecure)

Fajar A. Nugraha list at fajar.net
Wed Mar 11 12:36:09 UTC 2015


On Wed, Mar 11, 2015 at 7:22 PM, Fajar A. Nugraha <list at fajar.net> wrote:
> On Wed, Mar 11, 2015 at 7:02 PM, Fiedler Roman <Roman.Fiedler at ait.ac.at> wrote:
>> This should be exactly the configuration I have tested  so far. But that did
>> not yet solve my problem ...
>>
>> * If some process in guest registers for the same NFLOG queue, he can "steal"
>> the messages from the host queue, thus removing traces of his activity from
>> host logging. SECURITY-ASPECT: apart from log corruption, the guest can get
>> knowledge about any other connection to/from other containers and the host and
>> as they include  sequence numbers, may be able to inject spoofed data into any
>> other unencrypted TCP connection or at least interrupt the connection using
>> another helper machine.
>
> No. What makes you believe that?
>
> Host and containers does not share iptables rules. Their entire
> network stack is separated thru network namespace. There's no such
> thing as "stealing the message".


To further clarify:

The default lxc networking setup (veth with bridge) MAY allow a
container to snoop/hijack traffic to/from other containers. This is
similar to how a computers on the same LAN, connected to a dumb
switch, can potentially snoop/hijack traffic to/from other computers.
This is ethernet bridge issue, not iptables issue, nor lxc issue.

To prevent that issue, there are some options you can do. One option
is to create a separate bridge for each container. The other option
would be to use my alternative setup which I linked to earlier, which
does NOT use bridge.

-- 
Fajar


More information about the lxc-users mailing list