Platform: LXD 3.9 running on Arch Linux.
After running lxc init
and going with the default networking suggestions (save for turning off IPv6), I notice that a few iptables rules have been set up automagically:
[root@archlinux ~]# iptables -t filter -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* generated for LXD network lxdbr0 */
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* generated for LXD network lxdbr0 */
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* generated for LXD network lxdbr0 */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* generated for LXD network lxdbr0 */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* generated for LXD network lxdbr0 */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 /* generated for LXD network lxdbr0 */
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* generated for LXD network lxdbr0 */
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 /* generated for LXD network lxdbr0 */
[root@archlinux ~]# iptables -t nat -L -n
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.229.28.0/24 !10.229.28.0/24 /* generated for LXD network lxdbr0 */
My question is, if I’m setting up my own iptables rules on the host (say for forwarding incoming web traffic to a container), do I just ignore the rules LXD creates (because they’ll be created again automagically on reboot no matter what) or should I incorporate them specifically into my own iptables ruleset?
I’m concerned about idempotency in this context.
Apologies if this fully documented somewhere: I have not come across this yet after many hours of reading.