Web lists-archives.com

LXC, networking and firewalling

Hi all,

I have a couple of VPSes (Xen and KVM based), in which I run LXC containers.

Currently I have a bridge device set up on the host (not bridged to the
external network), and iptables to do firewalling and NAT as required.

Here's my bridge setup, if that helps:

auto br0
iface br0 inet static
 bridge_ports none
 bridge_fd 0
 bridge_maxwait 0

iface br0 inet6 static
  address fd49:5bcf:0bed:5d9c::1/64

What I think doesn't work so well is attempting to filter traffic either
between containers, or between a container and the host.

Also, ISTR people saying iptables shouldn't be used on a bridge at all.

So before I set up my next VPS (and possibly reconfigure my older
one(s)), is there a better way I should be considering?

Do I need to use ebtables on the bridge? Will that work between containers?

Would I be better off using multiple bridges?

As an aside, if I get access to VLANs from my provider (I don't think
I've ever (successfully) configured VLANs on Linux before), I assume I
can include a VLAN in each bridge, and I guess leave the default one out?


Attachment: signature.asc
Description: OpenPGP digital signature