Lxd iptables-persistent

Hello i installed iptables-persistent and see that after boot the iptables are still there but then when i initiate lxc ls my rules that where put on top of the lcd rules are pushed to the bottom i was wondering if there was a way for them not to be pushed to the bottom…

Hi!

Normally the forwarding rules in iptables do not interfere with the LXD rules.
Can you show in detail how you add your own forwarding rules?

So i add my rules with

iptables -I FORWARD 1 -i TestNetwork -o lxdbr0  -j REJECT
iptables -I FORWARD 1 -i lxdbr0 -o TestNetwork  -j REJECT

iptables -L would show me

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network TestNetwork */
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network TestNetwork */
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */

The reject ones on top are the ones i added
once i exit it reverts to

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network TestNetwork */
    ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network TestNetwork */
    ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */
    ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

witch put mu rules under and not first in the metric

When you restart your computer, systemd starts all services.
Among those services are LXD and iptables-persistent.
What you need to do, is inform systemd to start iptables-persistent before starting up LXD.
So that the iptables rules of iptables-persistent are able to run first.
For this to work, you need to specify to start LXD after it started iptables-persistent.
See, for example, at https://unix.stackexchange.com/questions/379363/how-can-i-start-systemd-service-units-in-order on how to change the order.

I have added lxd.service in the netfilter-persistent service file and still no luck

[Unit]
Description=netfilter persistent configuration
DefaultDependencies=no

Before=network-pre.target lxd.service
Wants=network-pre.target

Wants=systemd-modules-load.service local-fs.target
After=systemd-modules-load.service local-fs.target

Conflicts=shutdown.target
Before=shutdown.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/netfilter-persistent start
ExecStop=/usr/sbin/netfilter-persistent stop

[Install]
WantedBy=multi-user.target