[Firehol-support] how to handle traffic from a virtual container?
Tsaousis, Costa
costa at tsaousis.gr
Mon Mar 14 17:37:35 GMT 2016
Hi,
I do not have much experience (Phil may help on this), but this is
what I understand:
Each container can have its own firewall.
At each container and the host, you can only apply rules (interfaces,
routers, NAT, etc) to interfaces you see with: ip link show.
FireHOL (and iptables) do not complain if an interface is not there
and you are applying rules to it (this is by design - without this
feature you could not have dynamic interfaces like VPNs, firewalled
properly).
Other than the above, the firewall configuration should be the same,
containers or not.
So, treat each container as a different machine (with its own firewall
and QoS), and everything should work.
What I don't know is if you can filter traffic on the bridge container
passing through its bridge. I think you can't (you probably need
ebtables) but I don't have any experience with it. For sure you can
filter packets passing through it if you just route the packets (ie.
without bridging the interfaces).
I hope this helps.
Costa
On Mon, Mar 14, 2016 at 2:55 PM, Wojtek Swiatek <w at swtk.info> wrote:
> Hello
>
> I am new to firehol and I am trying to understand how to route traffic from
> a container (a virtual machine of sorts, based on LXC but it does not
> matter). The setup is the following:
>
> +-------------------------------------------------------------------------+
>
> | +--------------------+ |
>
> | +-----------------------+ +-------------+ | |
> | +-------------------------+
>
> | | virtual container | | bridge br1 | |physical interface |
> | | |
>
> | | eth0 with 10.10.11.10 +----+ 10.10.11.11 +--+enp3s0 |
> +-----------+ ISP box +-----+ Internet
>
> | +-----------------------+ +-------------+ |192.168.0.1 |
> | | 192.168.0.254 |
>
> | +---------------------------+ |
> | | |
>
> | | +--------------------+
> | +-------------------------+
>
> | host OS + |
>
> | |
>
> +-------------------------------------------------------------------------+
>
>
> host "srv"
>
> The drawing above is also available at http://pastebin.com/iwC1QcbR if it
> is not readable.
>
> I tried to ping 172.217.16.78 (google) from within the virtual container.
> When doing a tcpdump on the host OS ("srv") on the bridge br1 I see traffic
> coming from 10.10.11.10 directed to 172.217.16.78 (one direction only, the
> packets do not come back).
> The same ping from srv to google goes though.
>
> When doing a tcpdump on enp3s0 (the actual NIC), I also see the same
> traffic going from 10.10.11.10 directed to 172.217.16.78 (one direction
> only, the packets do not come back).
>
> The 10.10.11.10 is probably not rewritten anywhere and they are discarded
> (probably by the ISP box).
>
> Where should I go now?
>
> I tried the following configuration (aiming at "everything open" to start
> with):
>
> version 6
>
> masquerade br1
>
> interface enp3s0 lan
> client all accept
> server all accept
>
> interface br1 vpn
> client all accept
> server all accept
>
> router vpn2internet inface br1 outface enp3s0
> client all accept
> server all accept
>
> router internet2vpn inface enp3s0 outface br1
> client all accept
> server all accept
>
> Thank you for any pointers!
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list