Thanks for the feedback, Spike. After looking around for a while, I, too, decided a small ubuntu container with a minimal firewall tool is the way to go. In my case, I used “ufw” but will also look at "firehol”.
Our firewall/NAT requirements are not very large, and I finally figured out the right set of rules we need. In essence, we just need to add these to the /etc/ufw/before.rules file and restart ufw: ------------------------------------------------------------------------ *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # Port Forwardings (change dport to match incoming port and destination:port to match target server behind eth1) -A PREROUTING -d 192.168.24.5 -p tcp --dport 222 -j DNAT --to-destination 30.1.1.3:22 -A PREROUTING -d 192.168.24.5 -p tcp --dport 801 -j DNAT --to-destination 30.1.1.3:80 -A PREROUTING -d 192.168.24.5 -p tcp --dport 802 -j DNAT --to-destination 30.1.1.3:443 # Use this if you have IP Aliases on the front end pointing to different back-end servers -A PREROUTING -d 192.168.24.6 -p tcp --dport 222 -j DNAT --to-destination 30.1.1.3:22 # NAT traffic from inside network (30.1.1.0/24) through eth0 to the world -A POSTROUTING -s 30.1.1.0/24 -o eth0 -j MASQUERADE COMMIT ------------------------------------------------------------------------ The above simply says our NAT router (192.168.24.5) sits in front of a number of private IPs (30.1.1.0/24) and provides port forwarding as well as outbound NAT. The “IP Alias” line can be used in case we need additional front-end IPs (i.e. 192.168.24.6). Seems to work very well so far. Thanks for all the feedback! -Ron > On Apr 27, 2017, at 1:50 PM, Spike <[email protected]> wrote: > > after testing one of too many firewall solutions I went back to just running > plain ubuntu and then put an iptables "frontend" on top of it. In my case I > chose firehol, but there's a number of them and it's largely a matter of > taste/how you work. It really depends what you care for, if you want an > appliance kind of thing that won't work, as it doesn't come with batteries > included, ie a gui, graphs etc, but if you want a clean working firehol > without the hassle of managing rules yourself, then ubuntu + a fw manager > will do wonders and actually keeps things simpler ime. > > hope that helps, > > Spike > > On Mon, Apr 24, 2017 at 10:07 PM gunnar.wagner <[email protected]> > wrote: > I know that's only touching your point slightly but (as far as I know) > pfSense requires 2 physical WAN ports in order to run. > So I'd doubt is can be containerized to begin with > > > On 4/25/2017 12:10 AM, Ron Kelley wrote: >> Greetings all, >> >> I am looking for an easy-to-configure firewall tool that provides >> NAT/Gateway/Firewall functions for other containers. I know I can use >> iptables, etc, but I would like something more easily managed (web-based >> tool?) like pfSense, IPFire, IPCop, etc. Unfortunately, many of the tools >> are ISO based which require “real” VM instances. >> >> I can’t seem to find any turn-key LXD firewall images; maybe I am looking in >> the wrong place? >> >> Any pointers? >> >> Thanks. >> _______________________________________________ >> lxc-users mailing list >> >> [email protected] >> http://lists.linuxcontainers.org/listinfo/lxc-users > > -- > Gunnar Wagner | Yongfeng Village Group 12 #5, Pujiang Town, Minhang District, > 201112 Shanghai, P.R. CHINA > mob +86.159.0094.1702 | skype: professorgunrad | wechat: 15900941702 > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
