[lxc-users] Filtering container traffic with iptables on host

Fajar A. Nugraha list at fajar.net
Fri Sep 29 13:44:32 UTC 2017


On Fri, Sep 29, 2017 at 7:23 PM, Björn Fischer <bf at cebitec.uni-bielefeld.de>
wrote:

> root at drax:/root# lxc shell moonraker
>

Wow

# lxc | egrep 'shell|exec'
  exec             Execute commands in containers

'shell' is not even in the lxc command line help yet :)
Thanks for letting me know that command exists.



> [ iptables rule is active but has no effect on ping in container ]
> ------snip------
>
> Certainly I am missing something very obvious.
> If anyone could point me in the right direction,
> I would appreciate that.
>
>
My GUESS is that iptables treat container traffic as separate host, due to
being in separate network namespace. So the host has no idea what PID the
ping traffic is from.

The host only knows that the traffic comes from a veth* interface, which is
attached to lxdbr0, and then it needs to FORWARD it to eth0 (or whatever
your host's public interfaces is). So this should work

iptables -I FORWARD -s 10.0.160.33 -p ICMP -j DROP

OUTPUT and INPUT won't work, FORWARD does. Of course, cgroups won't wont
with FORWARD, so you need to find a criteria (e.g. source IP) that does.

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170929/2cb24701/attachment.html>


More information about the lxc-users mailing list