On Fri, Sep 29, 2017 at 02:23:40PM +0200, Björn Fischer wrote: > Hello LXC-Users, > > here at the CeBiTec, Bielefeld University, I'm currently looking > into replacements for Solaris zones. Now that you can even use > Docker in unprivileged LXD containers, an LXD based solution > seems to be a candidate for larger deployment. > > But there still is one issue I have with LXD containers. I want > to be able to filter traffic from and to specific LXD containers > on the host with iptables. I approached this using cgroups and > net_cls. While this works for processes on the host, it does not > work for processes in containers.
Containers are like separate machines and can be managed as such. If each container has an IP address, why can't you hide them behind the host via NAT and manage connections to them in iptables' FORWARD chain. Alternatively, you can create an iptables ruleset on the host and mount it inside a container. For instance, in archlinux the mountpoint will be rootfs/etc/iptables/iptables.rules and in fedora -- rootfs/etc/sysconfig/iptables. Of course, this is assuming default service/init script. If you are still interested, I can explain in more detail how we manage containers here... HTH, L. -- Leonid Isaev _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
