iptables rules ignored when trying to apply filter for lxc container
by crts from LinuxQuestions.org on (#4XMGZ)
I have the following lxc container setup on my host machine:
Code:+--------------------------------+
| |
| 192.168.2.1 |
| lxcbr (virtual bridge) |
| / \ |
| / \ |
| / \ |
| 192.168.2.200 \ |
| container1 \ |
| 192.168.2.10 |
| container2 |
| |
+--------------------------------+I am trying to restrict access to container 192.168.2.10 from other containers. I am using the following ruleset with iptables:
Code:echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe iptable_nat
modprobe ipt_LOG
iptables --table filter -P INPUT DROP
iptables --table filter -P FORWARD DROP
iptables --table filter -P OUTPUT DROP
iptables -t filter -F
iptables -t raw -F
iptables -t raw -I PREROUTING -p tcp --dport 10025 -j TRACE
iptables -t raw -I PREROUTING -p tcp --sport 10025 -j TRACE
iptables -t raw -I PREROUTING -s 192.168.2.10 -j TRACE
iptables -t raw -I PREROUTING -d 192.168.2.10 -j TRACE
iptables -F restrict
iptables -X restrict
iptables -N restrict
iptables -A restrict -j LOG --log-level 6 --log-prefix "[FW] [restrict] ENTERED "
iptables -A restrict -j DROP
iptables -I OUTPUT -s 192.168.2.10 -j restrict
iptables -I OUTPUT -d 192.168.2.10 -j restrict
iptables -I FORWARD -s 192.168.2.10 -j restrict
iptables -I FORWARD -d 192.168.2.10 -j restrict
iptables -I INPUT -d 192.168.2.10 -j reseparatestrict
iptables -I INPUT -s 192.168.2.10 -j restrictWhen a packet's destination is 192.168.2.10 it shall jump to the chain restrict. However, the rules are ignored. At first I thought that lxcbr might be bypassed but I can run tcpdump on interface lxcbr and I do see the packets arriving there, both ways:
Code:# tcpdump -ni lxcbr
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lxcbr, link-type EN10MB (Ethernet), capture size 262144 bytes
18:08:28.918571 IP 192.168.2.200.58884 > 192.168.2.10.10025: ...
18:08:28.918631 IP 192.168.2.10.10025 > 192.168.2.200.58884: ...
...I never see a corresponding log entry in /var/log/messages. I tried to trace the packets with the trace rules in table raw but I never get any output in /var/log/syslog.
Why do the rules never match? Links to documentation that explains the behaviour would be much appreciated.
Additional info:
Code:# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 1 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 lxcbr
OS: Slackware 14.2
iptables: v1.6.0
lxc: v2.0.9I have verified that the tracing works by tracing every packet with:
Code:iptables -t raw -I PREROUTING -j TRACEEven with this rule all packets get traced except the ones I am interested in.
PS: I am not looking for a workaround, e.g., putting the containers on separate networks. I want to understand what is going on.
Code:+--------------------------------+
| |
| 192.168.2.1 |
| lxcbr (virtual bridge) |
| / \ |
| / \ |
| / \ |
| 192.168.2.200 \ |
| container1 \ |
| 192.168.2.10 |
| container2 |
| |
+--------------------------------+I am trying to restrict access to container 192.168.2.10 from other containers. I am using the following ruleset with iptables:
Code:echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe iptable_nat
modprobe ipt_LOG
iptables --table filter -P INPUT DROP
iptables --table filter -P FORWARD DROP
iptables --table filter -P OUTPUT DROP
iptables -t filter -F
iptables -t raw -F
iptables -t raw -I PREROUTING -p tcp --dport 10025 -j TRACE
iptables -t raw -I PREROUTING -p tcp --sport 10025 -j TRACE
iptables -t raw -I PREROUTING -s 192.168.2.10 -j TRACE
iptables -t raw -I PREROUTING -d 192.168.2.10 -j TRACE
iptables -F restrict
iptables -X restrict
iptables -N restrict
iptables -A restrict -j LOG --log-level 6 --log-prefix "[FW] [restrict] ENTERED "
iptables -A restrict -j DROP
iptables -I OUTPUT -s 192.168.2.10 -j restrict
iptables -I OUTPUT -d 192.168.2.10 -j restrict
iptables -I FORWARD -s 192.168.2.10 -j restrict
iptables -I FORWARD -d 192.168.2.10 -j restrict
iptables -I INPUT -d 192.168.2.10 -j reseparatestrict
iptables -I INPUT -s 192.168.2.10 -j restrictWhen a packet's destination is 192.168.2.10 it shall jump to the chain restrict. However, the rules are ignored. At first I thought that lxcbr might be bypassed but I can run tcpdump on interface lxcbr and I do see the packets arriving there, both ways:
Code:# tcpdump -ni lxcbr
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lxcbr, link-type EN10MB (Ethernet), capture size 262144 bytes
18:08:28.918571 IP 192.168.2.200.58884 > 192.168.2.10.10025: ...
18:08:28.918631 IP 192.168.2.10.10025 > 192.168.2.200.58884: ...
...I never see a corresponding log entry in /var/log/messages. I tried to trace the packets with the trace rules in table raw but I never get any output in /var/log/syslog.
Why do the rules never match? Links to documentation that explains the behaviour would be much appreciated.
Additional info:
Code:# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 1 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 lxcbr
OS: Slackware 14.2
iptables: v1.6.0
lxc: v2.0.9I have verified that the tracing works by tracing every packet with:
Code:iptables -t raw -I PREROUTING -j TRACEEven with this rule all packets get traced except the ones I am interested in.
PS: I am not looking for a workaround, e.g., putting the containers on separate networks. I want to understand what is going on.