How to disable firewall and NAT rules on the LXD bridge

I followed your Ubuntu LXD tutorial, and I noticed LXD automatically created firewall and NAT rules. Is there any way to disable this feature? I want to manage a firewall using custom rule sets. How can I disable firewall and NAT rules on the LXD bridge under Linux?

We can unquestionably maintain firewall rules on the LXD bridge. By default, when LXD is installed on Ubuntu or other Linux distros such as CentOS, it creates a new bridge called lxdbr0. So lxdbr0 network bridge is a handy way for sharing your internet connection between the host and container. Without lxdbr0 you will not be able to access the Internet from outside or inside a Linux container. However, we can disable this default behavior if required.

Tutorial details
Difficulty	Advanced (rss)
Root privileges	Yes
Requirements	Linux with LXD
Time	2m

How to manage firewall rules on the LXD bridge named lxdbr0

We can list default iptables NAT rule as follows:
$ sudo /sbin/iptables -t nat -L POSTROUTING
## IPv6 rules ##
$ sudo /sbin/ip6tables -t nat -L POSTROUTING

Another option is as follows:
$ sudo /sbin/ip6tables -t nat -S
$ sudo /sbin/iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N LIBVIRT_PRT
-A POSTROUTING -s 10.83.200.0/24 ! -d 10.83.200.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

The “-A POSTROUTING -s 10.83.200.0/24 ! -d 10.83.200.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE” is auto-generated rule.

Finding out lxd network settings

Let us see the LXD network list:
$ lxc network list
We get the following interfaces on Linux:

+-----------+----------+---------+----------------+---------------------------+-------------+---------+
|   NAME    |   TYPE   | MANAGED |      IPV4      |           IPV6            | DESCRIPTION | USED BY |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| enp0s31f6 | physical | NO      |                |                           |             | 0       |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| lxdbr0    | bridge   | YES     | 10.83.200.1/24 | fd42:87d0:ec52:7d50::1/64 |             | 25      |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| virbr0    | bridge   | NO      |                |                           |             | 0       |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+

Next, I am going to find out about firewall and nat settings, run:
$ lxc network show lxdbr0
Outputs:

config:
  ipv4.address: 10.83.200.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:87d0:ec52:7d50::1/64
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/alpine
- /1.0/instances/arch
- /1.0/instances/c1
- /1.0/instances/centos-6
...
..
....
- /1.0/instances/ubuntu-20-4
- /1.0/instances/ubuntunginx-test
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

Another option is to find about NAT and firewall settings on the LXD bridge is as follows:
$ lxc network get lxdbr0 ipv4.nat
$ lxc network get lxdbr0 ipv4.firewall

Disabling firewall and NAT rules on the LXD bridge

Here is how we can disable firewall and nat settings on lxdbr0 bridge. Run:
$ lxc network set lxdbr0 ipv4.firewall false
$ lxc network set lxdbr0 ipv4.nat false
## IPv6 settings ##
$ lxc network set lxdbr0 ipv6.firewall false
$ lxc network set lxdbr0 ipv6.nat false

Where:

• ipv4.firewall : Whether to generate filtering firewall rules for this network.
• ipv4.nat : Decides whether to NAT (will default to true if unset and a random ipv4.address is generated)
• ipv6.firewall : Whether to generate filtering firewall rules for this network
• ipv6.nat : Decides whether to NAT (will default to true if unset and a random ipv6.address is generated)

As soon as you enter the above commands, LXD will remove NAT and firewall rules. Now you can set up your own NAT and firewall rules on Linux to manage lxdbr0. We can verify this using the grep command and ping command:
$ lxc exec fedora-32 -- ping -c1 8.8.8.8
$ sudo /sbin/iptables -S -t nat | grep LXD

Conclusion

In this quick tutorial, we learned about the default NAT and firewall option set for the LXD bridge and how to disable those for advanced customization on the Linux system. See this online documentation for all LXD networking settings.

Category	List of Unix and Linux commands
File Management	cat
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Network Utilities	dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time
Searching	grep • whereis • which
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04