0

I installed lxc-container (fedora 29 amd64) on my ubuntu 18.04 system. The linux container had no firewall command line tools. Therefore I installed iptables into my container and it installed successfully.

However I tried to configure the interfaces to drop all incoming and outgoing packets which did not work. I am giving you all the details here.

The command ip \a gave;

[root@fedora29 ~]# ip \a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host 
 valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
 link/ether 00:16:3e:4c:d8:bf brd ff:ff:ff:ff:ff:ff link-netnsid 0
 inet 10.0.3.52/24 brd 10.0.3.255 scope global dynamic eth0
 valid_lft 3456sec preferred_lft 3456sec
 inet6 fe80::216:3eff:fe4c:d8bf/64 scope link 
 valid_lft forever preferred_lft forever

I have iptables rules as follows;

[root@fedora29 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination 
Chain FORWARD (policy ACCEPT)
target prot opt source destination 
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Therefore I added the following two rules

iptables --table filter --append INPUT --in-interface eth0@if8 --jump DROP
iptables --table filter --append OUTPUT --out-interface eth0@if8 --jump DROP

When I finally saved the configuration with 

 iptables-save

[root@fedora29 ~]# iptables-save
# Generated by iptables-save v1.8.0 on Wed Feb 20 08:41:43 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0@if8 -j DROP
-A OUTPUT -o eth0@if8 -j DROP
COMMIT
# Completed on Wed Feb 20 08:41:43 2019

However the same worked fine with my ubuntu host system, where the interface is named lxcbr0.

Rui F Ribeiro
57.9k27 gold badges154 silver badges237 bronze badges
asked Feb 20, 2019 at 9:47
3
  • have you reloaded the iptables service after saving? systemctl iptables reload Commented Feb 20, 2019 at 13:12
  • @RobotJohnny It's giving . Failed to reload iptables.service: Unit iptables.service not found. Commented Feb 21, 2019 at 7:29
  • What do you think is the result of ip \a in contrast to ip a? Commented May 29, 2023 at 17:07

2 Answers 2

1

Just remove @if8 from the interface name in your rules, because it's not part of the interface name. The interface name is just eth0.

@if8 is a clue given about the link peer interface, and is dynamic: for example it could change after container restart.

For more information on the meaning of @if8 you can see my answer there:
What does "if1@if2" mean in interface name in output of "ip address" command on Ubuntu

answered Feb 20, 2019 at 16:14
1
  • this solved my problem. I don't know how to mark this answer as solved. Thank you very much. I just omitted @if8 in the iptables of fedora29 lxc and it worked like charm. The other issue is that when i tried to implement . systemctl reload iptables . it gave me an error that ` Failed to reload iptables.service: Unit iptables.service not found .` Commented Feb 21, 2019 at 7:27
0

Firstly I need to thank @A.B for his response as it cleared my issue. While I tried using policy for the built-in chain without giving the interface it worked.....

[root@fedora29 ~]# iptables --table filter --policy INPUT DROP
[root@fedora29 ~]# iptables --table filter --policy OUTPUT DROP
[root@fedora29 ~]# iptables-save > /etc/network/iptables 
[root@fedora29 ~]# iptables-apply /etc/network/iptables 
Applying new ruleset... done.
Can you establish NEW connections to the machine? (y/N) y
... then my job is done. See you next time.

However when i tried to list the rules using iptables -L i did observe that no new rules were created but the policy of the rules are modified as shown...

[root@fedora29 ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination 
Chain FORWARD (policy ACCEPT)
target prot opt source destination 
Chain OUTPUT (policy DROP)
target prot opt source destination 
[root@fedora29 ~]# ping 10.0.3.1
PING 10.0.3.1 (10.0.3.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

--- 10.0.3.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 23ms
[root@fedora29 ~]# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
answered Feb 21, 2019 at 7:41
1
  • Without knowing the content of /etc/network/iptables this is not really helpful. Let alone that it is not an answer but should have been an edit of your question... Commented May 29, 2023 at 17:06

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.