Just sharing my final insights and settings for this. The last problem that I had with ufw was as simple as this:
- ufw works on the input chain, all rules that you specify are effective for the iptables INPUT chain and not for the FORWARD chain. By default all traffic unless other specified in the FORWARD chain gets blocked (that is all traffic that does not get allowed by another rule in the forward chain)
You can configure ufw to allow all traffic on the forward chain by default by doing:
sudo ufw default allow FORWARD
sudo service ufw restart
My final settings are (Thanks also to Thomas again):
- modify fail2ban action.d for the concerned filter to also create a iptables rules in the forward chain
- export all iptable rules by running
sudo iptables-save. Select the rules that concern the lxdbridge and save them somewhere - disable the lxdbridge firewall
sudo lxc network set lxdbr0 ipv4.firewall=false - Add the rules just exported again at the right place (that is, for me after my blocking rules and fail2ban)
That’s it. Now I see the desired result which is fail2ban working on both chains FORWARD and INPUT, my blocking sets work, ufw allows all required traffic and lxd receives only the traffic which I want it to.