Hi there,
My goal:
LXD container with static public ips on a host with iptables, that is managing the access to the containers.
Example:
a) Ports 80 and 443 on container A is available for a dinfed IP.
b) Every port on container B is just available for defined IPs (no public access).
c) Every port to all container for a defined IP
With the default LXC iptables configuration (after the installation), the containers are accessible and the containers are able to conntect to the internet (OUTPUT).
Problems:
With the following rules, the containers are not accessible and the containers are not able to connect to the internet (OUTPUT).
Here is my current example configuration (not working):
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 80 -d 111.111.111.111 -j ACCEPT -m comment --comment "a) Allow access to container A with port 80"
-A INPUT -p tcp --dport 443 -d 111.111.111.111 -j ACCEPT -m comment --comment "a) Allow access to container A with port 443"
-A INPUT -s 222.222.222.222 -j ACCEPT -m comment --comment "b) Allow single ip access to host and all containers"
-A INPUT -s 234.234.234.234 -d 123.123.123.123 -j ACCEPT -m comment --comment "c) Allow single ip access to container A"
-A INPUT -i br1 -p tcp -m tcp --dport 53 -m comment --comment "generated for LXD network br1" -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 53 -m comment --comment "generated for LXD network br1" -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 67 -m comment --comment "generated for LXD network br1" -j ACCEPT
-A FORWARD -o br1 -m comment --comment "generated for LXD network br1" -j ACCEPT
-A FORWARD -i br1 -m comment --comment "generated for LXD network br1" -j ACCEPT
-A OUTPUT -o br1 -p tcp -m tcp --sport 53 -m comment --comment "generated for LXD network br1" -j ACCEPT
-A OUTPUT -o br1 -p udp -m udp --sport 53 -m comment --comment "generated for LXD network br1" -j ACCEPT
-A OUTPUT -o br1 -p udp -m udp --sport 67 -m comment --comment "generated for LXD network br1" -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -o br1 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network br1" -j CHECKSUM --checksum-fill
COMMIT
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -s 10.4.186.0/24 ! -d 10.4.186.0/24 -m comment --comment "generated for LXD network br1" -j MASQUERADE
COMMIT
The list of containers:
+--------+---------+--------------------------------+-----------------------------------------------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+--------+---------+--------------------------------+-----------------------------------------------+------------+-----------+
| con-a | RUNNING | 111.111.111.111 (eth0) | fd42:3c7a:19d4:228f:...:....:....:6dcc (eth1) | PERSISTENT | 0 |
| | | 10.4.186.195 (eth1) | 2a01:4f8:221:1329::195 (eth0) | | |
+--------+---------+--------------------------------+-----------------------------------------------+------------+-----------+
| con-b | RUNNING | 222.222.222.222 (eth0) | fd42:3c7a:19d4:228f:...:....:....:268b (eth1) | PERSISTENT | 0 |
| | | 10.4.186.194 (eth1) | 2a01:4f8:221:1329::194 (eth0) | | |
+--------+---------+--------------------------------+-----------------------------------------------+------------+-----------+
| con-c | RUNNING | 123.123.123.123 (eth0) | fd42:3c7a:19d4:228f:...:....:....:13d3 (eth1) | PERSISTENT | 0 |
| | | 10.4.186.201 (eth1) | 2a01:4f8:221:1329::201 (eth0) | | |
+--------+---------+--------------------------------+-----------------------------------------------+------------+-----------+
I am a beginner with iptables - sorry for that
Versions:
- lxc version: 2.15
- lxd --version: 2.15
- lsb_release -a: Ubuntu 16.10
- iptables --version: v1.6.0
thanks!