[lxc-users] Filtering container traffic with iptables on host

Björn Fischer bf at CeBiTec.Uni-Bielefeld.DE
Fri Sep 29 14:42:03 UTC 2017


Hi,

> # lxc | egrep 'shell|exec'
>   exec             Execute commands in containers
> 
> 'shell' is not even in the lxc command line help yet :)
> Thanks for letting me know that command exists.

I found that via bash autocompletion "lxc [TAB][TAB]" ;-)

> My GUESS is that iptables treat container traffic as separate host, due
> to being in separate network namespace. So the host has no idea what PID
> the ping traffic is from.

That was my first thought, too.  But the network name space should be
listed with "ip netns list", should it not?
The output of "ip netns list" is empty on my host.

> The host only knows that the traffic comes from a veth* interface, which
> is attached to lxdbr0, and then it needs to FORWARD it to eth0 (or
> whatever your host's public interfaces is). So this should work
> 
> iptables -I FORWARD -s 10.0.160.33 -p ICMP -j DROP 
> 
> OUTPUT and INPUT won't work, FORWARD does. Of course, cgroups won't wont
> with FORWARD, so you need to find a criteria (e.g. source IP) that does.

I am not using lxdbr0, but a setup based on macvlan (as you can see in
the transcript). Macvlan fits perfectly for our use case here. I just
need to be  sure that our "customers" cannot do any harm by changing
the IP addresses inside  the containers.  So basically,  I'm trying to
replicate the port-security lxdbr0 feature for macvlan.


Thank you for your suggestions.

Björn Fischer



More information about the lxc-users mailing list