[lxc-users] LXD firewall container?

Ron Kelley rkelleyrtp at gmail.com
Thu Apr 27 18:05:31 UTC 2017


Thanks for the feedback, Spike.  After looking around for a while, I, too, decided a small ubuntu container with a minimal firewall tool is the way to go.  In my case, I used “ufw” but will also look at "firehol”.  

Our firewall/NAT requirements are not very large, and I finally figured out the right set of rules we need.  In essence, we just need to add these to the /etc/ufw/before.rules file and restart ufw:

------------------------------------------------------------------------
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port Forwardings (change dport to match incoming port and destination:port to match target server behind eth1)
-A PREROUTING -d 192.168.24.5 -p tcp --dport 222 -j DNAT --to-destination 30.1.1.3:22
-A PREROUTING -d 192.168.24.5 -p tcp --dport 801 -j DNAT --to-destination 30.1.1.3:80
-A PREROUTING -d 192.168.24.5 -p tcp --dport 802 -j DNAT --to-destination 30.1.1.3:443

# Use this if you have IP Aliases on the front end pointing to different back-end servers
-A PREROUTING -d 192.168.24.6 -p tcp --dport 222 -j DNAT --to-destination 30.1.1.3:22

# NAT traffic from inside network (30.1.1.0/24) through eth0 to the world
-A POSTROUTING -s 30.1.1.0/24 -o eth0 -j MASQUERADE

COMMIT
------------------------------------------------------------------------

The above simply says our NAT router (192.168.24.5) sits in front of a number of private IPs (30.1.1.0/24) and provides port forwarding as well as outbound NAT.    The “IP Alias” line can be used in case we need additional front-end IPs (i.e. 192.168.24.6).

Seems to work very well so far.

Thanks for all the feedback!

-Ron





> On Apr 27, 2017, at 1:50 PM, Spike <spike at drba.org> wrote:
> 
> after testing one of too many firewall solutions I went back to just running plain ubuntu and then put an iptables "frontend" on top of it. In my case I chose firehol, but there's a number of them and it's largely a matter of taste/how you work. It really depends what you care for, if you want an appliance kind of thing that won't work, as it doesn't come with batteries included, ie a gui, graphs etc, but if you want a clean working firehol without the hassle of managing rules yourself, then ubuntu + a fw manager will do wonders and actually keeps things simpler ime.
> 
> hope that helps,
> 
> Spike
> 
> On Mon, Apr 24, 2017 at 10:07 PM gunnar.wagner <gunnar.wagner at netcologne.de> wrote:
> I know that's only touching your point slightly but (as far as I know) pfSense requires 2 physical WAN ports in order to run. 
> So I'd doubt is can be containerized to begin with
> 
> 
> On 4/25/2017 12:10 AM, Ron Kelley wrote:
>> Greetings all,
>> 
>> I am looking for an easy-to-configure firewall tool that provides NAT/Gateway/Firewall functions for other containers.  I know I can use iptables, etc, but I would like something more easily managed (web-based tool?) like pfSense, IPFire, IPCop, etc.  Unfortunately, many of the tools are ISO based which require “real” VM instances.  
>> 
>> I can’t seem to find any turn-key LXD firewall images; maybe I am looking in the wrong place?
>> 
>> Any pointers?
>> 
>> Thanks.
>> _______________________________________________
>> lxc-users mailing list
>> 
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> -- 
> Gunnar Wagner | Yongfeng Village Group 12 #5, Pujiang Town, Minhang District, 201112 Shanghai, P.R. CHINA 
> mob +86.159.0094.1702 | skype: professorgunrad | wechat: 15900941702
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list