[lxc-users] LXD firewall container?
Ron Kelley
rkelleyrtp at gmail.com
Thu Apr 27 18:05:31 UTC 2017
Thanks for the feedback, Spike. After looking around for a while, I, too, decided a small ubuntu container with a minimal firewall tool is the way to go. In my case, I used “ufw” but will also look at "firehol”.
Our firewall/NAT requirements are not very large, and I finally figured out the right set of rules we need. In essence, we just need to add these to the /etc/ufw/before.rules file and restart ufw:
------------------------------------------------------------------------
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Port Forwardings (change dport to match incoming port and destination:port to match target server behind eth1)
-A PREROUTING -d 192.168.24.5 -p tcp --dport 222 -j DNAT --to-destination 30.1.1.3:22
-A PREROUTING -d 192.168.24.5 -p tcp --dport 801 -j DNAT --to-destination 30.1.1.3:80
-A PREROUTING -d 192.168.24.5 -p tcp --dport 802 -j DNAT --to-destination 30.1.1.3:443
# Use this if you have IP Aliases on the front end pointing to different back-end servers
-A PREROUTING -d 192.168.24.6 -p tcp --dport 222 -j DNAT --to-destination 30.1.1.3:22
# NAT traffic from inside network (30.1.1.0/24) through eth0 to the world
-A POSTROUTING -s 30.1.1.0/24 -o eth0 -j MASQUERADE
COMMIT
------------------------------------------------------------------------
The above simply says our NAT router (192.168.24.5) sits in front of a number of private IPs (30.1.1.0/24) and provides port forwarding as well as outbound NAT. The “IP Alias” line can be used in case we need additional front-end IPs (i.e. 192.168.24.6).
Seems to work very well so far.
Thanks for all the feedback!
-Ron
> On Apr 27, 2017, at 1:50 PM, Spike <spike at drba.org> wrote:
>
> after testing one of too many firewall solutions I went back to just running plain ubuntu and then put an iptables "frontend" on top of it. In my case I chose firehol, but there's a number of them and it's largely a matter of taste/how you work. It really depends what you care for, if you want an appliance kind of thing that won't work, as it doesn't come with batteries included, ie a gui, graphs etc, but if you want a clean working firehol without the hassle of managing rules yourself, then ubuntu + a fw manager will do wonders and actually keeps things simpler ime.
>
> hope that helps,
>
> Spike
>
> On Mon, Apr 24, 2017 at 10:07 PM gunnar.wagner <gunnar.wagner at netcologne.de> wrote:
> I know that's only touching your point slightly but (as far as I know) pfSense requires 2 physical WAN ports in order to run.
> So I'd doubt is can be containerized to begin with
>
>
> On 4/25/2017 12:10 AM, Ron Kelley wrote:
>> Greetings all,
>>
>> I am looking for an easy-to-configure firewall tool that provides NAT/Gateway/Firewall functions for other containers. I know I can use iptables, etc, but I would like something more easily managed (web-based tool?) like pfSense, IPFire, IPCop, etc. Unfortunately, many of the tools are ISO based which require “real” VM instances.
>>
>> I can’t seem to find any turn-key LXD firewall images; maybe I am looking in the wrong place?
>>
>> Any pointers?
>>
>> Thanks.
>> _______________________________________________
>> lxc-users mailing list
>>
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
> --
> Gunnar Wagner | Yongfeng Village Group 12 #5, Pujiang Town, Minhang District, 201112 Shanghai, P.R. CHINA
> mob +86.159.0094.1702 | skype: professorgunrad | wechat: 15900941702
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list