Hello i installed iptables-persistent and see that after boot the iptables are still there but then when i initiate lxc ls my rules that where put on top of the lcd rules are pushed to the bottom i was wondering if there was a way for them not to be pushed to the bottom…
Hi!
Normally the forwarding rules in iptables do not interfere with the LXD rules.
Can you show in detail how you add your own forwarding rules?
So i add my rules with
iptables -I FORWARD 1 -i TestNetwork -o lxdbr0 -j REJECT
iptables -I FORWARD 1 -i lxdbr0 -o TestNetwork -j REJECT
iptables -L would show me
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere /* generated for LXD network TestNetwork */
ACCEPT all -- anywhere anywhere /* generated for LXD network TestNetwork */
ACCEPT all -- anywhere anywhere /* generated for LXD network lxdbr0 */
ACCEPT all -- anywhere anywhere /* generated for LXD network lxdbr0 */
The reject ones on top are the ones i added
once i exit it reverts to
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* generated for LXD network TestNetwork */
ACCEPT all -- anywhere anywhere /* generated for LXD network TestNetwork */
ACCEPT all -- anywhere anywhere /* generated for LXD network lxdbr0 */
ACCEPT all -- anywhere anywhere /* generated for LXD network lxdbr0 */
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
witch put mu rules under and not first in the metric
When you restart your computer, systemd
starts all services.
Among those services are LXD and iptables-persistent
.
What you need to do, is inform systemd
to start iptables-persistent
before starting up LXD.
So that the iptables
rules of iptables-persistent
are able to run first.
For this to work, you need to specify to start LXD after it started iptables-persistent
.
See, for example, at https://unix.stackexchange.com/questions/379363/how-can-i-start-systemd-service-units-in-order on how to change the order.
I have added lxd.service in the netfilter-persistent service file and still no luck
[Unit]
Description=netfilter persistent configuration
DefaultDependencies=no
Before=network-pre.target lxd.service
Wants=network-pre.target
Wants=systemd-modules-load.service local-fs.target
After=systemd-modules-load.service local-fs.target
Conflicts=shutdown.target
Before=shutdown.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/netfilter-persistent start
ExecStop=/usr/sbin/netfilter-persistent stop
[Install]
WantedBy=multi-user.target