I am running several websites in different containers / apache2 behind another container with nginx.
On the mainserver, I have several scripts that create Ipsets with blocking rules for certain IPs (country based and known offenders)
Currently, I am forwarding traffic through these rules in prerouting.
Chain PREROUTING DNAT tcp -- anywhere MYSERVERADDRESS tcp dpt:http to:CONTAINERIP:80 DNAT tcp -- anywhere MYSERVERADDRESS tcp dpt:https to:CONTAINERIP:443
There is also an LXD Bridge which configures the following rules and one of the IPsets that should block the traffic.
Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:domain /* generated for LXD network lxd_bridge0 */ ACCEPT udp -- anywhere anywhere udp dpt:domain /* generated for LXD network lxd_bridge0 */ ACCEPT udp -- anywhere anywhere udp dpt:bootps /* generated for LXD network lxd_bridge0 */ REJECT all -- anywhere anywhere match-set f2b-fail2ban-A src reject-with icmp-port-unreachable DROP all -- anywhere anywhere match-set IPSET_Block src
Here is what I observe:
- My Ipset and fail2ban don’t seem to have an effect
- It seems to me that the lxd bridge is not required (?) Or is it required for local networking?
What am I missing here? Should I reorder the rules for my blocking to be before the lxdbridge rules? can I delete the lxdbridge rules completely?
Additional info why I use NAT to forward traffic instead of the lxd bridge:
My reason for not using the lxd bridge for forwarding ports 443 and 80 was that I did not manage to make it work with nginx showing the source IP address in my logs.
Thank you very much for your input and helping me securing this