On Fri, Sep 29, 2017 at 7:23 PM, Björn Fischer <[email protected]> wrote:
> root@drax:/root# lxc shell moonraker > Wow # lxc | egrep 'shell|exec' exec Execute commands in containers 'shell' is not even in the lxc command line help yet :) Thanks for letting me know that command exists. > [ iptables rule is active but has no effect on ping in container ] > ------snip------ > > Certainly I am missing something very obvious. > If anyone could point me in the right direction, > I would appreciate that. > > My GUESS is that iptables treat container traffic as separate host, due to being in separate network namespace. So the host has no idea what PID the ping traffic is from. The host only knows that the traffic comes from a veth* interface, which is attached to lxdbr0, and then it needs to FORWARD it to eth0 (or whatever your host's public interfaces is). So this should work iptables -I FORWARD -s 10.0.160.33 -p ICMP -j DROP OUTPUT and INPUT won't work, FORWARD does. Of course, cgroups won't wont with FORWARD, so you need to find a criteria (e.g. source IP) that does. -- Fajar
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
