[lxc-users] Filtering container traffic with iptables on host
Björn Fischer
bf at CeBiTec.Uni-Bielefeld.DE
Fri Sep 29 12:23:40 UTC 2017
Hello LXC-Users,
here at the CeBiTec, Bielefeld University, I'm currently looking
into replacements for Solaris zones. Now that you can even use
Docker in unprivileged LXD containers, an LXD based solution
seems to be a candidate for larger deployment.
But there still is one issue I have with LXD containers. I want
to be able to filter traffic from and to specific LXD containers
on the host with iptables. I approached this using cgroups and
net_cls. While this works for processes on the host, it does not
work for processes in containers.
Here is a transscript of what I tried so far:
------snip------
root at drax:/root# lxc --version
2.17
root at drax:/root# lxc profile show default
config:
environment.http_proxy: ""
user.network_mode: ""
description: Default LXD profile
devices:
eth0:
name: eth0
nictype: macvlan
parent: eth0
type: nic
root:
path: /
pool: default
type: disk
name: default
used_by: []
root at drax:/root# lxc launch ubuntu-daily:16.04 moonraker -p default
Creating moonraker
Starting moonraker
root at drax:/root# mkdir /sys/fs/cgroup/net_cls/ping
root at drax:/root# echo 1234 > /sys/fs/cgroup/net_cls/ping/net_cls.classid
[ starting ping on host ]
root at drax:/root# ps -ef | grep ping
root 3897 3187 0 13:23 pts/3 00:00:00 ping 10.0.160.1
root at drax:/root# echo 3897 > /sys/fs/cgroup/net_cls/ping/tasks
root at drax:/root# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root at drax:/root# iptables -A OUTPUT -m cgroup --cgroup 1234 -j DROP
[ ping fails ]
root at drax:/root# iptables -D OUTPUT -m cgroup --cgroup 1234 -j DROP
[ ping operational again, iptables working as advertised ]
[ now start ping in container ]
root at drax:/root# lxc shell moonraker
run-parts: /etc/update-motd.d/98-fsck exited with return code 1
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
mesg: ttyname failed: Success
root at moonraker:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.0.160.33
netmask 255.255.255.0
network 10.0.160.0
gateway 10.0.160.1
broadcast 10.0.160.255
root at moonraker:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:d0:ae:30
inet addr:10.0.160.33 Bcast:10.0.160.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fed0:ae30/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1066 errors:0 dropped:0 overruns:0 frame:0
TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69641 (69.6 KB) TX bytes:9982 (9.9 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1572 (1.5 KB) TX bytes:1572 (1.5 KB)
root at moonraker:~# ping 10.0.160.1
PING 10.0.160.1 (10.0.160.1) 56(84) bytes of data.
64 bytes from 10.0.160.1: icmp_seq=1 ttl=255 time=5.04 ms
64 bytes from 10.0.160.1: icmp_seq=2 ttl=255 time=0.598 ms
[...]
[ on host try iptables again ]
root at drax:/root#
root at drax:/root# ps -ef | grep ping
558752 4684 4029 0 13:31 pts/6 00:00:00 ping 10.0.160.1
root at drax:/root# echo 4684 > /sys/fs/cgroup/net_cls/ping/tasks
root at drax:/root# iptables -A OUTPUT -m cgroup --cgroup 1234 -j DROP
[ ping continues ]
root at drax:/root# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere cgroup 1234
[ iptables rule is active but has no effect on ping in container ]
------snip------
Certainly I am missing something very obvious.
If anyone could point me in the right direction,
I would appreciate that.
Thanks for your help.
Björn Fischer
More information about the lxc-users
mailing list