Does LXC set iptables rules at boot time?

I noticed that there are rules for DNS/DHCP that I think weren’t there before. If yes, could you point me to where these rules are sourced? I looked at LXC related systemd files, but didn’t find any iptables commands.

I’m using the Ubuntu package.

I believe that these are part of the packaging of LXD for Ubuntu.

Try the following,

apt source lxd
tar xvfa lxd_2.0.10-0ubuntu1~16.04.2.debian.tar.xz
cd debian/

and look in there.

For LXC, the lxc-net script which sets up the “lxcbr0” bridge does set a number of iptables rules. It’s nothing new though, we’ve been doing that for 3 years or so.

/usr/lib/x86_64-linux-gnu/lxc/lxc-net

Thanks guys, that’s what I was looking for. I’ve been using nftables for a while now and want to avoid mixed operation. I’ll transfer the rules over to it.

It’s nothing new though, we’ve been doing that for 3 years or so.

Yes, I saw (it’s from 1.0), it’s me who’s new to LXC :slight_smile:

Sorry to revive this thread, but since it’s related to the topic, I thought I’d ask there in stead of opening a new thread.

In the lxc-net script, the following iptables rules appear to get set (I replaced variables with their content where possible):

iptables -I INPUT -i lxcbr0 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i lxcbr0 -p tcp --dport 67 -j ACCEPT
iptables -I INPUT -i lxcbr0 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i lxcbr0 -p tcp --dport 53 -j ACCEPT

iptables -I FORWARD -i lxcbr0 -j ACCEPT
iptables -I FORWARD -o lxcbr0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s LXC_IPV6_NETWORK ! -d LXC_IPV6_NETWORK -j MASQUERADE

iptables -t mangle -A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

I’m now trying to replicate these rules in nftables.

My question is about the last mangle line. I found the following explanation on the manpage:

CHECKSUM
This target allows to selectively work around broken/old applications. It can only be used in the mangle table.

–checksum-fill
Compute and fill in the checksum in a packet that lacks a checksum. This is particularly useful, if you need to work around old applications such as dhcp clients, that do not work well with checksum offloads, but don’t want to disable checksum offload in your device.

Is this still applicable to recent operating systems like Ubuntu 16.04, or are there likely no more applications requiring this hack? I wouldn’t bother to try to translate it in that case, assuming that’s even possible.

Since iptables 1.8.x is now a facade to nf_tables I thought it is important to answer onto your question:

 table ip mangle {chain prerouting {
	type filter hook prerouting priority 0; policy accept;
	counter comment "count accepted packets"
 }

chain input {
	type filter hook input priority 0; policy accept;
	counter comment "count accepted packets"
}

chain output {
	type filter hook output priority 0; policy accept;
	counter comment "count accepted packets"
}

chain postrouting {
	type filter hook postrouting priority 0; policy accept;
	oifname "lxdbr0" udp dport bootpc ip checksum 68 accept
	counter comment "count accepted packets"
} }
1 Like

You rules above should be changed to the following:

Code:

-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80

Since you are not using a STATEFUL firewall the use of conntrack’ing isn’t required.
You just need the redirect to ensure it goes to the right place.

Now if you are exposing this machine where the firewall resides to the internet then I would strongly suggest you reconsider your firewall as it protect nothing.

nope.
question was how to translate automaticly installed iptables-rules by lxd into NFTABLES, right ?

the thing is nftables its much more better in performance, user-handling, monitoring etc. etc. etc.
before iptables 1.8 everything was diverted. nowadays iptables uses nftables at kernel-level. iptables is only something a facade to. therefore I could not understand to use iptables nowadays. try to have a long ip-range-blacklist with iptables. and then try to do it with nftables. but its up to everybody himself to decide.

I don’t know about performance, but nftables syntax is wonderfully concise/expressive compared to iptables. Personally I mostly switched back to iptables because nftables (still being in development) isn’t being widely adopted yet and I found myself swimming against the flow on too many occasions. Maybe in 5 years things will look different already, certainly in 10. :+1:

1 Like

The future is now.
lets say it with words of famous persons, “All those hacks, troubles, problems have been already solved in the 1980s.” Richard Stallman.
:grinning:

ad performance) I have per host in average between 30k to 200k ips(ranges) blocked early via stealth-bridge (layer2) because of intense attacks everybody knows. All that is operated automatically just by some tools in a wink by nftables. Before nftables it was a nightmare to configure and sync (i.e. start|reload|restart|insert rule at and so on … a nightmare) firewalls during normal operations without any interruptions at the physical interface . nftables solves it like a charm. simultaneously open to options for your needed conditions prepared.

Perhaps you might be interested having a look ?

ad ‘still in developement’) That’s not true. Why does kernel-specialists implement nftables before iptables? Why is iptables 1.8 set upon nftables?

ad ‘isn’t being widely adopted’) At this point we just have to think about politics and power, don’t we? Is linux widely adopted ? And when why not? The matter of fact is linux is server-standard globally right now. Anyway.
BTW. did you know github was overtaken by $$$ recently ?
What do you think does it take for LXD?
think. :disappointed_relieved:
Adrian thank you for your attention and your feedback! :+1:


origin: In a modern environment (like LXD) we should use modern tools. I love LXD !

I tried switching to nftables a couple of years ago and couldn’t find any useful documentation, so gave up. For most people a firewall is just something they want to set up and forget about. If it turns into a huge time sink, well, I already know how to configure iptables I think is the thinking. However if the kernel has switched to nftables; maybe it’s time to take another look.

1 Like