I have a lxd container on local ip 192.168.69.37 and I want to block it from accessing the local lan, to
protect others on the lan, should there be a breach of security inside the container.
I’ve studied a few links such as these
but I still seem unable to get this to do what I want. I don’t want to rely on iptables set within the container because if it’s breached then they can be removed. Basically I want to sandbox the container but have it still able to access the web.
$ cat /etc/lsb*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.1 LTS"
$ lxd --version
5.5
$
$ ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.69.18 netmask 255.255.255.0 broadcast 192.168.69.255
inet6 fe80::eade:aad2:9662:ba73 prefixlen 64 scopeid 0x20<link>
ether a0:48:1c:76:9f:7b txqueuelen 1000 (Ethernet)
RX packets 208694899 bytes 100888823720 (100.8 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 60843646 bytes 88925493677 (88.9 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7c00000-f7c20000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 7846 bytes 857058 (857.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7846 bytes 857058 (857.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lxdbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.126.130.1 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 fd42:792b:ccc:e513::1 prefixlen 64 scopeid 0x0<global>
ether 00:16:3e:c3:0b:8b txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
$
$ sudo ufw deny from 192.168.69.37 to 192.168.0.0/16
Rule added
$
$
$ sudo ufw reload
Firewall reloaded
$
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
8443 ALLOW Anywhere
192.168.0.0/16 DENY 192.168.69.37
22 (v6) ALLOW Anywhere (v6)
8443 (v6) ALLOW Anywhere (v6)
$
Going inside the container…
$
$ lxc exec OBA-CAMS -- bash
#
# ssh 192.168.69.28 -l rich
rich@192.168.69.28's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-125-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 updates can be applied immediately.
Last login: Fri Aug 26 11:12:14 2022
rich@rich:~$ exit
logout
Connection to 192.168.69.28 closed.
#
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.69.37 netmask 255.255.255.0 broadcast 192.168.69.255
inet6 fe80::216:3eff:fec8:ddae prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:c8:dd:ae txqueuelen 1000 (Ethernet)
RX packets 173870606 bytes 91602648327 (91.6 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 487070 bytes 49353764 (49.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 78699850 bytes 83517012553 (83.5 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 78699850 bytes 83517012553 (83.5 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#
After making the connection I can’t see anything helpful in /var/log/ufw.log