[lxc-users] LXC container isolation with iptables?

Fajar A. Nugraha list at fajar.net
Sun Mar 4 12:02:52 UTC 2018 

On Sun, Mar 4, 2018 at 5:27 PM, Marat Khalili <mkh at rqc.ru> wrote:
> On 04/03/18 02:26, Steven Spencer wrote:
>
> Honestly, unless I'm spinning up a container on my local desktop, I always
> use the routed method. Because our organization always thinks of a container
> as a separate machine, it makes the build pretty similar whether the machine
> is on the LAN or WAN side of the network. It does, of course, require that
> each container run its own firewall, but that's what we would do with any
> machine on our network.
>
> Can you please elaborate on your setup?It always seemed like administrative
> hassle to me. Outside routers need to known how to find your container. I
> can see three ways, each has it's drawbacks:
>
> 1. Broadcast container MACs outside, but L3-route packets inside the server
> instead of L2-bridging. Seems clean but I don't know how to do it in [bare]
> Linux.


Here's one way to do it, with manual networking setup in lxd (making
this automated and converting this to lxc is left as an exercise for
readers. I don't use lxc anymore).


Environment:
- host eth0 is 10.0.3.117/24 with router on 10.0.3.1 (this is actually
an lxd container with nesting enabled, which should behave like a
baremetal lxd host for this purpose)
- guest container name is 'c1' (which is a nested container in this case)
- host will use proxyarp to broadcast c1's MAC
- c1 will use routed setup using veth and p2p ip
- c1 will see a network interface called 'c-c1' instead of 'eth0'
- c1 will use 10.0.3.201
- host side of veth pair will be called 'h-c1', and use 10.0.0.1 (can
be any unused IP in your network, can be used multiple times on
different veths)


Setup in host:
### start with "c1" stopped
### enable proxyarp and ip forwarding
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

### create veth pair
ip link add dev h-c1 type veth peer name c-c1

### setup veth pair on host side
ip ad add 10.0.0.1 dev h-c1 peer 10.0.3.201 scope link
ip link set dev h-c1 up

### configure c1 to use the created veth pair. "lxc config edit c1",
then add these lines in "device" section.
### use "eth0" as section name so that it replace "eth0" inherited
from the profile
devices:
  eth0:
    name: c-c1
    nictype: physical
    parent: c-c1
    type: nic

### start the container
lxc start c1



Setup in c1:
### setup veth pair
ip ad add 10.0.3.201 peer 10.0.0.1 dev c-c1
ip link set dev c-c1 up
ip r add default via 10.0.0.1

### test connectivity with router
ping -n -c 1 10.0.3.1

-- 
Fajar

More information about the lxc-users mailing list