[Solved] iptables-modules loaded by LXD permanently

hi,
even if I never ever choose to create a local bridge (lxdbr0)
during «lxd init» - procedure and only set up an unmanaged bridge
exclusively, LXD do load iptables-modules into kernel permanently
as long as LXD itself or a container has started up.

I NEED to avoid iptables hence those modules active loaded.

has anyone an idea how to solve this?

That’s going to be somewhat tricky since iptables auto-loads the various netfilter modules, so all it needs is any call to iptables to have them all loaded. LXD itself never loads them directly but any script or even container process may cause that to happen.

You can try putting those modules in the modprobe blacklist? that may help

1 Like

Thank you very much indeed for your quick response and hint.
But … no, it didn’t succeed.
Eventually everything I tried failed.

After a long time fiddling around finding the needed information I came across some links and hints to solve my problem. Perhaps
someone needs this clue:

Firstly I have to mention my Container(s) sits within a qemu host.
Secondly in terms having long ip-blacklists due to fail2ban and other tools, its hard to handle things by iptables at all anyway. (performance!)

Since iptables 1.8 was released which is built up onto nftables at kernel-level things are much more easier deploying lxd-container because its not buggy if you have iptables & nftables loaded simoutanously. but it depends. try it at your own risk.

but for me it was the only
solution.

I removed iptables 1.6 by
apt remove --purge iptables

Installed iptables 1.8.x instead from source
installed nftables from source

https://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources

run my nft -f firewallscript

and thats was all folks

more on
https://www.netfilter.org/projects/iptables/downloads.html#iptables-1.8.2
http://www.linuxfromscratch.org/blfs/view/cvs/postlfs/iptables.html
https://lwn.net/Articles/759184/

At the end just a version of my host-firewallscript for dealing with lxd-containers. help yourself:

-------- snip ---------------
#!/sbin/nft -f

flush ruleset

define net_lxd = 10.124.175.0/24
define nic_lxd = pippi0
define haproxy = 10.124.175.54

define red = ens3

include “./fail2ban.conf”

table netdev filter {

include “./blacklist.nft”
chain loinput {
type filter hook ingress device lo priority 0; policy accept; }

      chain layer2 {
      type filter hook ingress device ens3 priority -400;

      udp dport { 5678, 67, 137, 138, 445  } counter drop
      tcp dport { 5678, 67, 137, 138, 445, 79  } counter drop
      tcp dport ssh limit rate over 10/minute counter drop
      tcp dport telnet limit rate over 10/minute counter drop
      tcp dport ftp  limit rate over 10/minute counter drop
      ip saddr @blacklist counter drop
 }

}
chain output {
type filter hook output priority 0;
ct state established accept
ct state related accept
oif lo accept
ct state new counter accept
oifname $nic_lxd tcp sport 53 accept
oifname $nic_lxd udp sport 53 accept
oifname $nic_lxd udp sport 67 accept
oifname $nic_lxd udp sport 68 accept

      counter comment "count accepted packets"
 }

 chain forward {
      type filter hook forward priority 0;
            iifname $nic_lxd  accept
            oifname $nic_lxd  accept
      counter comment "count dropped packets"
 }
 chain input {
      type filter hook input priority 0; policy drop;
      ct state invalid counter log prefix "INVALID " drop comment "drop invalid packets"
      ct state {established, related}  accept
      iifname lo accept comment "accept loopback"
      ip protocol icmp accept comment "accept all icmp types"
            iifname $nic_lxd tcp dport 53 accept
            iifname $nic_lxd udp dport 53 accept
            iifname $nic_lxd udp dport 67 accept

      tcp dport 21 log prefix "--- FTP ---" counter drop
      tcp dport 22 log prefix "--- SSH ---" counter drop
      tcp dport 23 log prefix "--- TELNET ---" counter drop

      counter log prefix "LAST INPUT " comment "count dropped packets"
 }

}

table ip mangle {
chain prerouting {
type filter hook prerouting priority 0; policy accept;
counter comment “count accepted packets”
}

    chain input {
            type filter hook input priority 0; policy accept;
            counter comment "count accepted packets"
    }

    chain output {
            type filter hook output priority 0; policy accept;
            counter comment "count accepted packets"
    }

    chain postrouting {
         type filter hook postrouting priority 0; policy accept
         oifname $nic_lxd udp dport bootpc ip checksum 68 accept
    }

}

table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
iif “ens3” tcp dport { 80, 443 } dnat to 10.179.125.54
counter comment “count accepted packets”
}

 chain input {
      type nat hook input priority 0; policy accept;
     counter comment "count accepted packets"
 }

 chain output {
      type nat hook output priority 0; policy accept;
      counter comment "count accepted packets"
 }

 chain postrouting {
      type nat hook postrouting priority 0; policy accept;
           ip saddr $net_lxd ip daddr != $net_lxd masquerade
      counter comment "count accepted packets"
 }

}
hope it helps anyone.

Are you sure Stéphane’s suggestion to blacklist the modules didn’t work? i.e. putting a file into /etc/modprobe.d/ with the contents:

install ip_tables /bin/false
install x_tables /bin/false

Anyway, thanks for sharing your ruleset.

yes I am.

Stéphane posted this to a similar question I asked:

If you don’t want LXD to [inject iptables rules], you can set ipv4.firewall and ipv6.firewall to false in your network’s configuration and then incorporate those rules into your own firewall script.

How is this case different from that?

It’s the scope.

Stéphanes suggestion means that you can “switch off” those ip-tables-rules which are implemented automatically per container by default. That implements you are still using ip-tables.

BUT this method does NOT prevent loading ip-tables-modules into the kernel on the host-machine, whenever you start LXD or just a container.

The point is you can not mix up iptables with nftables before version 1.8, right?