[Firehol-support] how to handle traffic from a virtual container?

Wojtek Swiatek w at swtk.info
Mon Mar 14 12:55:49 GMT 2016 

Hello

I am new to firehol and I am trying to understand how to route traffic from
a container (a virtual machine of sorts, based on LXC but it does not
matter). The setup is the following:

+-------------------------------------------------------------------------+

|                                                +--------------------+   |

|  +-----------------------+    +-------------+  |                    |
|           +-------------------------+

|  | virtual container     |    | bridge br1  |  |physical interface  |
|           |                         |

|  | eth0 with 10.10.11.10 +----+ 10.10.11.11 +--+enp3s0              |
+-----------+ ISP box                 +-----+  Internet

|  +-----------------------+    +-------------+  |192.168.0.1         |
|           | 192.168.0.254           |

|                    +---------------------------+                    |
|           |                         |

|                    |                           +--------------------+
|           +-------------------------+

|           host OS  +                                                    |

|                                                                         |

+-------------------------------------------------------------------------+


                     host "srv"

The drawing above is also available at http://pastebin.com/iwC1QcbR if it
is not readable.

I tried to ping 172.217.16.78 (google) from within the virtual container.
When doing a tcpdump on the host OS ("srv") on the bridge br1 I see traffic
coming from 10.10.11.10 directed to 172.217.16.78 (one direction only, the
packets do not come back).
The same ping from srv to google goes though.

When doing a tcpdump on enp3s0 (the actual NIC), I also see the same
traffic going from 10.10.11.10 directed to 172.217.16.78 (one direction
only, the packets do not come back).

The 10.10.11.10 is probably not rewritten anywhere and they are discarded
(probably by the ISP box).

Where should I go now?

I tried the following configuration (aiming at "everything open" to start
with):

version 6

masquerade br1

interface enp3s0 lan
        client all accept
        server all accept

interface br1 vpn
        client all accept
        server all accept

router vpn2internet inface br1 outface enp3s0
        client all accept
        server all accept

router internet2vpn inface enp3s0 outface br1
        client all accept
        server all accept

Thank you for any pointers!

More information about the Firehol-support mailing list