Lxd iptables-persistent

networking
lxd

(Najib Nour) #1

Hello i installed iptables-persistent and see that after boot the iptables are still there but then when i initiate lxc ls my rules that where put on top of the lcd rules are pushed to the bottom i was wondering if there was a way for them not to be pushed to the bottom…


#2

Hi!

Normally the forwarding rules in iptables do not interfere with the LXD rules.
Can you show in detail how you add your own forwarding rules?


(Najib Nour) #3

So i add my rules with

iptables -I FORWARD 1 -i TestNetwork -o lxdbr0  -j REJECT
iptables -I FORWARD 1 -i lxdbr0 -o TestNetwork  -j REJECT

iptables -L would show me

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network TestNetwork */
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network TestNetwork */
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */

The reject ones on top are the ones i added
once i exit it reverts to

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network TestNetwork */
    ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network TestNetwork */
    ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */
    ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

witch put mu rules under and not first in the metric


#4

When you restart your computer, systemd starts all services.
Among those services are LXD and iptables-persistent.
What you need to do, is inform systemd to start iptables-persistent before starting up LXD.
So that the iptables rules of iptables-persistent are able to run first.
For this to work, you need to specify to start LXD after it started iptables-persistent.
See, for example, at https://unix.stackexchange.com/questions/379363/how-can-i-start-systemd-service-units-in-order on how to change the order.


(Najib Nour) #5

I have added lxd.service in the netfilter-persistent service file and still no luck

[Unit]
Description=netfilter persistent configuration
DefaultDependencies=no

Before=network-pre.target lxd.service
Wants=network-pre.target

Wants=systemd-modules-load.service local-fs.target
After=systemd-modules-load.service local-fs.target

Conflicts=shutdown.target
Before=shutdown.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/netfilter-persistent start
ExecStop=/usr/sbin/netfilter-persistent stop

[Install]
WantedBy=multi-user.target