[lxc-users] IPTABLES isolation
webman at manfbraun.de
webman at manfbraun.de
Sun Sep 4 22:23:36 UTC 2016
Hello !
Probably someone knows about iptables. If I use a LXC based VM,
I am sharing the host iptables with the VM. But I do not understand
the scenario in full. Waht myke my basic running is, that I
initialized the required modules on the host side (at its start),
so the LXC VM is finding already loaded modules.
What I wish to schieve, is to build a firewalls router as a VM,
so I can handle rules for the ISP interface, a DMZ and the LAN
separately. My current iptables script just became unmaintainable
due to its size (I am omitting the other half of the truth -
my iptables script has been evolved over the years from bad
beginnings). Anyway, I am finding the idea superb.
On the other hand, such a VM would have to handle nearly nothing
except package switching - so a full virtualization, like QEMU,
may better fit, even with restricted cpu power (due to emulation).
But this would ensure, that the iptables inside the VM are really
isolated.
There are other difficulties, if OpenVswitch and iptables are
used together - which I was not able to track until now. My
firewall starts with ports of OpenVswitch, because it allows me
to create a mirror port, which iself goes over the LAN as
VLANxx, so I can make some diagnostics at a better suited box.
Any hints and/or ideas are really very welcome!
Thanks anyway,
Manfred
More information about the lxc-users
mailing list