Web lists-archives.com

Re: LXC, networking and firewalling




	Hi.

On Thu, May 16, 2019 at 01:28:41PM +1200, Richard Hector wrote:
> Hi all,
<a description of a conventional Linux bridge was here>
> What I think doesn't work so well is attempting to filter traffic either
> between containers,

"modproble br_netfilter", then it'll be the same netfilter rules.

> or between a container and the host.

Should work with the minimal hassle. A couple of rules in the FORWARD
chain, and that MASQUERADE rule if you need it.

> Also, ISTR people saying iptables shouldn't be used on a bridge at all.

People also say that one should not use iptables at all, because nft.
So what?

> So before I set up my next VPS (and possibly reconfigure my older
> one(s)), is there a better way I should be considering?

It depends. If you need unconditional "container-container" and
"host-container" traffic isolation, you'd probably better use macvlan in
private mode.
If you need something non-trivial - you'd probably better use
openvswitch.

> Do I need to use ebtables on the bridge?

It'll work if you can stomach it. ebtables' is very limited compared to
the iptables.

> Will that work between containers?

Yep.

> Would I be better off using multiple bridges?

Why? It'll complicate your setup for the marginal gain.

> As an aside, if I get access to VLANs from my provider (I don't think
> I've ever (successfully) configured VLANs on Linux before), I assume I
> can include a VLAN in each bridge, and I guess leave the default one out?

You can bridge a tagged network interface with a non-tagged one, it'll
work.
You can make a bridge on top of non-tagged interfaces, and VLANs on top
of it.
It all really depends on what you're trying to achieve with 802.1q.

Reco