LXC and Shorewall

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.

2020/02/16


Background

LXC (http://lxc.sourceforge.net/) is a set of user-space tools for managing the container capabilities that have been in the Linux Kernel since 2.6.27.

This short article describes how I've implemented LXC here at shorewall.net, with emphasis on the networking and firewall aspects.

Overview of a Working Configuration

The following diagram shows the network at shorewall.net in the spring of 2011.

As shown in that diagram, the LXC containers are bridged to br0. Here are the relevant configuration entries.

/etc/network/interfaces:

#
# LXC bridge
#
auto br0
iface br0 inet static
      bridge_ports none
      bridge_fd 0
      address 70.90.191.121
      broadcast 0.0.0.0
      netmask 255.255.255.255
      post-up ip route add 70.90.191.124/31 dev br0

iface br0 inet6 static
      address 2001:470:b:227::41
      netmask 124

/etc/lxc/mail.conf

lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up

lxc.network.ipv4=70.90.191.124/29
lxc.network.ipv6=2001:470:b:227::42/124

…

/etc/lxc/server.conf

lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up

lxc.network.ipv4=70.90.191.125/29
lxc.network.ipv6=2001:470:b:227::43/124

…

Note that I have subnetted 2001:470:b:227::/64 with a /124 (2001:470:b:227::40/124) assigned to the bridge. To make those addresses accessible from the LOC zone, the following entries are required in /etc/shorewall6/proxyndp:

#ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
2001:470:b:227::41	-		eth1		Yes		Yes
2001:470:b:227::42	-		eth1		Yes		Yes
2001:470:b:227::43	-		eth1		Yes		Yes

The entries in the LXC .conf files are expected to configure eth0 in the LXC containers; they do, sort of. In both of the containers, no ipv6 default route was assigned. I corrected that by adding this entry in /etc/sysctl.conf in both containers:

net.ipv6.conf.all.forwarding=0

I then added this stanza to /etc/radvd.conf on the host:

interface br0{
	AdvSendAdvert on;
	MinRtrAdvInterval 300;
	MaxRtrAdvInterval 505;
	AdvDefaultLifetime 9000;

	route ::/0 {
		AdvRouteLifetime infinity;
	};
};

Curiosly, LXC gives container mail's eth0 this somewhat odd configuration, and fails to add a default ipv4 route:

14: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 4e:56:66:11:3c:6b brd ff:ff:ff:ff:ff:ff
    inet 70.90.191.124/29 brd 70.90.191.120 scope global eth0
    inet6 2001:470:b:227::42/124 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::4c56:66ff:fe11:3c6b/64 scope link 
       valid_lft forever preferred_lft forever

So in that container's /etc/rc.local, I also have:

ip route add default via 70.90.191.121

With the exception of the entries in /etc/shorewall6/proxyndp. the Shorewall and Shorewall6 configurations are fairly conventional three-interface setups. In both configurations, the interfaces file entry for br0 has the routeback option specified.

Documentation


Frequently Used Articles

- FAQs - Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation


Shorewall 5.0/5.1/5.2 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Docker - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shared Shorewall/Shorewall6 Configuration - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page