I’m setting up a few LXD hosts with several containers on each. I am using the default lxdbr0 network bridge configuration to assign a DHCP address to each container. Many of these containers have a proxy device (or multiple) to forward selected ports from the external WAN address to the container.
This all works fine while my default iptables INPUT policy is ACCEPT, but if I set this to DROP, none of the containers are accessible from the WAN interface. Obviously I could add individual ACCEPT rules for each of the proxied ports, but that makes the containers much less portable - moving a container to a different host means also having to mess with the host firewall.
nat=true proxy device parameter does seem to get around the issue (although I’m not sure where/how can I see the generated rules?) however this has a similar issue to manually adding the relevant iptables rules - moving the container from one host to another requires manually updating the proxy device listen address to the new host’s IP external address.
Is there an iptables INPUT rule I can add (or some other method) to allow traffic explicitly proxied to a container to be accepted, but anything else not explicitly defined in an ACCEPT rule for the host to be dropped? This would mean, for example, that the firewall would drop all tcp/80 traffic UNLESS there was a container running on that host with a proxy device listening on tcp:0.0.0.0:80.