Re: LXC, networking and firewalling
- Date: Thu, 16 May 2019 08:40:02 +0300
- From: Reco <recoverym4n@xxxxxxxxxxxx>
- Subject: Re: LXC, networking and firewalling
On Thu, May 16, 2019 at 01:28:41PM +1200, Richard Hector wrote:
> Hi all,
<a description of a conventional Linux bridge was here>
> What I think doesn't work so well is attempting to filter traffic either
> between containers,
"modproble br_netfilter", then it'll be the same netfilter rules.
> or between a container and the host.
Should work with the minimal hassle. A couple of rules in the FORWARD
chain, and that MASQUERADE rule if you need it.
> Also, ISTR people saying iptables shouldn't be used on a bridge at all.
People also say that one should not use iptables at all, because nft.
> So before I set up my next VPS (and possibly reconfigure my older
> one(s)), is there a better way I should be considering?
It depends. If you need unconditional "container-container" and
"host-container" traffic isolation, you'd probably better use macvlan in
If you need something non-trivial - you'd probably better use
> Do I need to use ebtables on the bridge?
It'll work if you can stomach it. ebtables' is very limited compared to
> Will that work between containers?
> Would I be better off using multiple bridges?
Why? It'll complicate your setup for the marginal gain.
> As an aside, if I get access to VLANs from my provider (I don't think
> I've ever (successfully) configured VLANs on Linux before), I assume I
> can include a VLAN in each bridge, and I guess leave the default one out?
You can bridge a tagged network interface with a non-tagged one, it'll
You can make a bridge on top of non-tagged interfaces, and VLANs on top
It all really depends on what you're trying to achieve with 802.1q.