Using Stephane commands that I found on GitHub https://github.com/lxc/lxd/issues/4470
iptables -I INPUT -s container-ip -j REJECT
iptables -I FORWARD -s container-ip -d lan-subnet -j REJECT
I’ve set my ip tables up on the machine that hosts the container, trying to block access to the LAN (192.168.69.*), but from inside the container I can still make an ssh connection to 192.168.69.28.
service --status-all
tells me ufw & apparmor are enabled.
I’ve tried everything to block it. The hosting machine is 192.168.69.19 and the container is 192.168.69.58. Both are 22.04 with lxd/lxc at 5.1.
systems@Chip-C:~$__ sudo iptables -L -v
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- lxdbr0 any anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any 192.168.69.58 anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- lxdbr0 any anywhere 192.168.69.28 reject-with icmp-port-unreachable
0 0 REJECT all -- lxdbr0 any anywhere 192.168.69.0 reject-with icmp-port-unreachable
0 0 REJECT all -- lxdbr0 any anywhere 192.168.69.0/24 reject-with icmp-port-unreachable
0 0 REJECT all -- lxdbr0 any anywhere 255.255.255.0 reject-with icmp-port-unreachable
0 0 REJECT all -- any any 192.168.69.58 192.168.69.0/24 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
systems@Chip-C:~$
I flushed out iptables-legacy tables but they are empty anyway. Not sure how to get rid of them, or if I need to.