Re: LXC, networking and firewalling
Hi.
On Thu, May 16, 2019 at 01:28:41PM +1200, Richard Hector wrote:
> Hi all,
<a description of a conventional Linux bridge was here>
> What I think doesn't work so well is attempting to filter traffic either
> between containers,
"modproble br_netfilter", then it'll be the same netfilter rules.
> or between a container and the host.
Should work with the minimal hassle. A couple of rules in the FORWARD
chain, and that MASQUERADE rule if you need it.
> Also, ISTR people saying iptables shouldn't be used on a bridge at all.
People also say that one should not use iptables at all, because nft.
So what?
> So before I set up my next VPS (and possibly reconfigure my older
> one(s)), is there a better way I should be considering?
It depends. If you need unconditional "container-container" and
"host-container" traffic isolation, you'd probably better use macvlan in
private mode.
If you need something non-trivial - you'd probably better use
openvswitch.
> Do I need to use ebtables on the bridge?
It'll work if you can stomach it. ebtables' is very limited compared to
the iptables.
> Will that work between containers?
Yep.
> Would I be better off using multiple bridges?
Why? It'll complicate your setup for the marginal gain.
> As an aside, if I get access to VLANs from my provider (I don't think
> I've ever (successfully) configured VLANs on Linux before), I assume I
> can include a VLAN in each bridge, and I guess leave the default one out?
You can bridge a tagged network interface with a non-tagged one, it'll
work.
You can make a bridge on top of non-tagged interfaces, and VLANs on top
of it.
It all really depends on what you're trying to achieve with 802.1q.
Reco
Reply to: