[lxc-users] Filtering container traffic with iptables on host
Leonid Isaev
leonid.isaev at jila.colorado.edu
Mon Oct 2 00:04:29 UTC 2017
On Fri, Sep 29, 2017 at 02:23:40PM +0200, Björn Fischer wrote:
> Hello LXC-Users,
>
> here at the CeBiTec, Bielefeld University, I'm currently looking
> into replacements for Solaris zones. Now that you can even use
> Docker in unprivileged LXD containers, an LXD based solution
> seems to be a candidate for larger deployment.
>
> But there still is one issue I have with LXD containers. I want
> to be able to filter traffic from and to specific LXD containers
> on the host with iptables. I approached this using cgroups and
> net_cls. While this works for processes on the host, it does not
> work for processes in containers.
Containers are like separate machines and can be managed as such. If each
container has an IP address, why can't you hide them behind the host via NAT
and manage connections to them in iptables' FORWARD chain.
Alternatively, you can create an iptables ruleset on the host and mount it
inside a container. For instance, in archlinux the mountpoint will be
rootfs/etc/iptables/iptables.rules and in fedora --
rootfs/etc/sysconfig/iptables. Of course, this is assuming default service/init
script. If you are still interested, I can explain in more detail how we manage
containers here...
HTH,
L.
--
Leonid Isaev
More information about the lxc-users
mailing list