I have the following lxc container setup on my host machine:
Code:
+--------------------------------+
| |
| 192.168.2.1 |
| lxcbr (virtual bridge) |
| / \ |
| / \ |
| / \ |
| 192.168.2.200 \ |
| container1 \ |
| 192.168.2.10 |
| container2 |
| |
+--------------------------------+
I am trying to restrict access to container
192.168.2.10 from other containers. I am using the following ruleset with iptables:
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe iptable_nat
modprobe ipt_LOG
iptables --table filter -P INPUT DROP
iptables --table filter -P FORWARD DROP
iptables --table filter -P OUTPUT DROP
iptables -t filter -F
iptables -t raw -F
iptables -t raw -I PREROUTING -p tcp --dport 10025 -j TRACE
iptables -t raw -I PREROUTING -p tcp --sport 10025 -j TRACE
iptables -t raw -I PREROUTING -s 192.168.2.10 -j TRACE
iptables -t raw -I PREROUTING -d 192.168.2.10 -j TRACE
iptables -F restrict
iptables -X restrict
iptables -N restrict
iptables -A restrict -j LOG --log-level 6 --log-prefix "[FW] [restrict] ENTERED "
iptables -A restrict -j DROP
iptables -I OUTPUT -s 192.168.2.10 -j restrict
iptables -I OUTPUT -d 192.168.2.10 -j restrict
iptables -I FORWARD -s 192.168.2.10 -j restrict
iptables -I FORWARD -d 192.168.2.10 -j restrict
iptables -I INPUT -d 192.168.2.10 -j restrict
iptables -I INPUT -s 192.168.2.10 -j restrict
When a packet's destination is
192.168.2.10 it shall jump to the chain
restrict. However, the rules are ignored. At first I thought that
lxcbr might be bypassed but I can run
tcpdump on interface
lxcbr and I do see the packets arriving there, both ways:
Code:
# tcpdump -ni lxcbr
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lxcbr, link-type EN10MB (Ethernet), capture size 262144 bytes
18:08:28.918571 IP 192.168.2.200.58884 > 192.168.2.10.10025: ...
18:08:28.918631 IP 192.168.2.10.10025 > 192.168.2.200.58884: ...
...
I never see a corresponding log entry in
/var/log/messages. I tried to trace the packets with the trace rules in table
raw but I never get any output in
/var/log/syslog.
Why do the rules never match? Links to documentation that explains the behaviour would be much appreciated.
Additional info:
Code:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 1 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 lxcbr
OS: Slackware 14.2
iptables: v1.6.0
lxc: v2.0.9
I have verified that the tracing works by tracing every packet with:
Code:
iptables -t raw -I PREROUTING -j TRACE
Even with this rule all packets get traced except the ones I am interested in.
PS: I am not looking for a workaround, e.g., putting the containers on separate networks. I want to understand what is going on.