LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-03-2016, 11:04 AM   #1
TWfromSWD
LQ Newbie
 
Registered: Jun 2016
Posts: 8

Rep: Reputation: Disabled
Internet acces for LXC container


Hi

I want to set up an LXC container that should only have network access to the LXC host and to the internet gateway on the LAN. My current setup is:

Code:
auto eth0
iface eth0 inet static
  address     192.168.0.30
  netmask     255.255.255.0
  gateway     192.168.0.3

auto wfrog0
iface wfrog0 inet static
  address     192.168.1.1
  netmask     255.255.255.0
  bridge_ports none
eth0 ist my network card with LAN and Internet Access
wfrog0 is the bridge used by my LXC container.

So how can I give my container internet access without giving it access to any other computers in the LAN?
 
Old 06-03-2016, 11:43 AM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
Blog Entries: 36

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
Might need to configure iptables. Here's a gist that illustrates what I mean. https://gist.github.com/EnigmaCurry/7895407#firewall
 
Old 06-05-2016, 01:19 PM   #3
TWfromSWD
LQ Newbie
 
Registered: Jun 2016
Posts: 8

Original Poster
Rep: Reputation: Disabled
I tried a lot of things and finally I have the following configuration:

My iptable rules on the host:
Code:
*filter

# log iptables denied calls (access via 'dmesg' command)
 -A INPUT   -m limit --limit 5/min -j LOG --log-prefix "iptables INPUT denied: " --log-level 7
 -A OUTPUT  -m limit --limit 5/min -j LOG --log-prefix "iptables OUTPUT denied: " --log-level 7
 -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables FORWARD denied: " --log-level 7

COMMIT

*nat

# HomeMatic webinterface access
 -A PREROUTING -p tcp -d 192.168.0.31 --dport 80 -j DNAT --to-destination 192.168.1.3:80

# wfrog ssh access
 -A PREROUTING -p tcp -d 192.168.0.32 --dport 22 -j DNAT --to-destination 192.168.1.2:22

# public network access
 -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# container network access
 -A POSTROUTING -s 192.168.0.0/24 -o lxcbr0 -j MASQUERADE

COMMIT
My interfaces on the host:
Code:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address     192.168.0.30
  netmask     255.255.255.0
  gateway     192.168.0.3

auto eth0:1
iface eth0:1 inet static
  address     192.168.0.31
  netmask     255.255.255.0

auto eth0:2
iface eth0:2 inet static
  address     192.168.0.32
  netmask     255.255.255.0

auto lxcbr0
iface lxcbr0 inet static
  address     192.168.1.1
  netmask     255.255.0.0
  bridge_ports none
  bridge_fd 0
  bridge_maxwait 0
And the interfaces on my wfrog container
Code:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 192.168.1.2
  netmask 255.255.0.0
  gateway 192.168.0.3
I can ping my host from the wfrog container (192.168.0.30) but I can't ping the rest of the network. Also I can't access the Internet (gateway 192.168.0.3). The problem is, I just don't know what I have to do to get this part working. I already tried:
Code:
-A FORWARD -i lxcbr0 -o eth0 -j ACCEPT
 
Old 06-14-2016, 01:52 PM   #4
TWfromSWD
LQ Newbie
 
Registered: Jun 2016
Posts: 8

Original Poster
Rep: Reputation: Disabled
I finally got it figured out I just had to forward dns requests and http access

My iptables config on the host:

Code:
*filter

# log iptables denied calls (access via 'dmesg' command)
 -A INPUT   -m limit --limit 5/min -j LOG --log-prefix "iptables INPUT denied: " --log-level 7
 -A OUTPUT  -m limit --limit 5/min -j LOG --log-prefix "iptables OUTPUT denied: " --log-level 7
 -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables FORWARD denied: " --log-level 7

COMMIT

*nat

# HomeMatic webinterface access
 -A PREROUTING -p tcp -d 192.168.0.31 --dport 80 -j DNAT --to-destination 192.168.1.3:80

# wfrog ssh access
 -A PREROUTING -p tcp -d 192.168.0.32 --dport 22 -j DNAT --to-destination 192.168.1.2:22

# http and https access from wfrog to the internet
 -A PREROUTING -p tcp -d 192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.0.3:80
 -A PREROUTING -p tcp -d 192.168.1.1 --dport 43 -j DNAT --to-destination 192.168.0.3:43

# dns requests from wfrog
 -A PREROUTING -p udp -d 192.168.1.1 --dport 53 -j DNAT --to 192.168.0.251
 -A PREROUTING -p tcp -d 192.168.1.1 --dport 53 -j DNAT --to 192.168.0.251

# public network access
 -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# container network access
 -A POSTROUTING -s 192.168.0.0/24 -o lxcbr0 -j MASQUERADE
And the network configuration for the container:

Code:
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.name = eth0
lxc.network.hwaddr = 00:16:3e:73:cb:05

lxc.network.ipv4 = 192.168.1.2
lxc.network.ipv4.gateway = 192.168.1.1
And I had to add the address of my bridge to the resolv.conf of the container:
Code:
nameserver 192.168.1.1

Last edited by TWfromSWD; 06-14-2016 at 01:53 PM. Reason: grammar
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXC Container: sound Not working charlie101 Linux - Virtualization and Cloud 11 04-14-2020 01:15 AM
LXC Container Namespaces Cgroup Ahmed83 Linux - Virtualization and Cloud 2 12-06-2015 04:31 AM
[SOLVED] lxc new container how to set password jzoudavy Linux - Newbie 1 09-01-2015 01:52 PM
[SOLVED] Running ctdb in an LXC container PeterSteele CentOS 5 08-13-2015 07:45 AM
How to end a Linux Container (LXC) from within? Skaperen Linux - Virtualization and Cloud 0 06-14-2011 09:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration