[lxc-users] Filtering container traffic with iptables on host
Luis Michael Ibarra
michael.ibarra at gmail.com
Fri Sep 29 15:01:18 UTC 2017
Luis Michael Ibarra
> On Sep 29, 2017, at 10:42, Björn Fischer <bf at CeBiTec.Uni-Bielefeld.DE> wrote:
>
> Hi,
>
>> # lxc | egrep 'shell|exec'
>> exec Execute commands in containers
>>
>> 'shell' is not even in the lxc command line help yet :)
>> Thanks for letting me know that command exists.
>
> I found that via bash autocompletion "lxc [TAB][TAB]" ;-)
>
>> My GUESS is that iptables treat container traffic as separate host, due
>> to being in separate network namespace. So the host has no idea what PID
>> the ping traffic is from.
>
> That was my first thought, too. But the network name space should be
> listed with "ip netns list", should it not?
> The output of "ip netns list" is empty on my host.
>
You need to add each container network namespace to /var/run/netns, so it can be managed by the ip command.
>> The host only knows that the traffic comes from a veth* interface, which
>> is attached to lxdbr0, and then it needs to FORWARD it to eth0 (or
>> whatever your host's public interfaces is). So this should work
>>
>> iptables -I FORWARD -s 10.0.160.33 -p ICMP -j DROP
>>
>> OUTPUT and INPUT won't work, FORWARD does. Of course, cgroups won't wont
>> with FORWARD, so you need to find a criteria (e.g. source IP) that does.
>
> I am not using lxdbr0, but a setup based on macvlan (as you can see in
> the transcript). Macvlan fits perfectly for our use case here. I just
> need to be sure that our "customers" cannot do any harm by changing
> the IP addresses inside the containers. So basically, I'm trying to
> replicate the port-security lxdbr0 feature for macvlan.
>
>
> Thank you for your suggestions.
>
> Björn Fischer
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list