Lxc config set core.https_address best practice

When I setup LXD i use this lxc config set core.https_address "[::]:8443", which is fine for home/office network use but doing the same on a production server opens this up from the outside even when not needed.

So that this is available to containers that might have different networks but on the same host, is this just case a to use IP tables to block remote traffic or what is best way to deal with this given most standard configurations for VPSes or baremetal servers?


Yeah, I’d use firewalling for this. In general my machines that are directly exposed to the internet tend to have a firewall blocking all INPUT except for those ports I actually want to expose.

Thanks for your response.

I am pretty inexperienced with IP tables, is this how to do it, so that the API can be accessed from any container on the host?

$ iptables -I OUTPUT -p tcp --dport 8443 -j DROP
$ iptables -I OUTPUT -s -p tcp --dport 8443 -j ACCEPT

Hmm, no, you’d normally want rules in the INPUT table.
Usually you’d want to block everything except for established connections and whatever port you want to actually open.

So something kinda like:

  • iptables -I INPUT -i eth0 -j REJECT
  • iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  • iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

This should reject everything arriving on eth0 (change for whatever NIC is your WAN) except for established/related connections and for SSH.

1 Like