How to disable firewall and NAT rules on the LXD bridge

I followed your Ubuntu LXD tutorial, and I noticed LXD automatically created firewall and NAT rules. Is there any way to disable this feature? I want to manage a firewall using custom rule sets. How can I disable firewall and NAT rules on the LXD bridge under Linux?

We can unquestionably maintain firewall rules on the LXD bridge. By default, when LXD is installed on Ubuntu or other Linux distros such as CentOS, it creates a new bridge called lxdbr0. So lxdbr0 network bridge is a handy way for sharing your internet connection between the host and container. Without lxdbr0 you will not be able to access the Internet from outside or inside a Linux container. However, we can disable this default behavior if required.
Tutorial details
Difficulty level Advanced
Root privileges Yes
Requirements Linux with LXD
Est. reading time 2m

How to manage firewall rules on the LXD bridge named lxdbr0

We can list default iptables NAT rule as follows:
$ sudo /sbin/iptables -t nat -L POSTROUTING
## IPv6 rules ##
$ sudo /sbin/ip6tables -t nat -L POSTROUTING

How to manage firewall rules on the LXD bridge
Another option is as follows:
$ sudo /sbin/ip6tables -t nat -S
$ sudo /sbin/iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N LIBVIRT_PRT
-A POSTROUTING -s 10.83.200.0/24 ! -d 10.83.200.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

The “-A POSTROUTING -s 10.83.200.0/24 ! -d 10.83.200.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE” is auto-generated rule.

Finding out lxd network settings

Let us see the LXD network list:
$ lxc network list
We get the following interfaces on Linux:

+-----------+----------+---------+----------------+---------------------------+-------------+---------+
|   NAME    |   TYPE   | MANAGED |      IPV4      |           IPV6            | DESCRIPTION | USED BY |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| enp0s31f6 | physical | NO      |                |                           |             | 0       |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| lxdbr0    | bridge   | YES     | 10.83.200.1/24 | fd42:87d0:ec52:7d50::1/64 |             | 25      |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| virbr0    | bridge   | NO      |                |                           |             | 0       |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+

Next, I am going to find out about firewall and nat settings, run:
$ lxc network show lxdbr0
Outputs:

config:
  ipv4.address: 10.83.200.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:87d0:ec52:7d50::1/64
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/alpine
- /1.0/instances/arch
- /1.0/instances/c1
- /1.0/instances/centos-6
...
..
....
- /1.0/instances/ubuntu-20-4
- /1.0/instances/ubuntunginx-test
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

Another option is to find about NAT and firewall settings on the LXD bridge is as follows:
$ lxc network get lxdbr0 ipv4.nat
$ lxc network get lxdbr0 ipv4.firewall

Disabling firewall and NAT rules on the LXD bridge

Here is how we can disable firewall and nat settings on lxdbr0 bridge. Run:
$ lxc network set lxdbr0 ipv4.firewall false
$ lxc network set lxdbr0 ipv4.nat false
## IPv6 settings ##
$ lxc network set lxdbr0 ipv6.firewall false
$ lxc network set lxdbr0 ipv6.nat false

Where:

  • ipv4.firewall : Whether to generate filtering firewall rules for this network.
  • ipv4.nat : Decides whether to NAT (will default to true if unset and a random ipv4.address is generated)
  • ipv6.firewall : Whether to generate filtering firewall rules for this network
  • ipv6.nat : Decides whether to NAT (will default to true if unset and a random ipv6.address is generated)

As soon as you enter the above commands, LXD will remove NAT and firewall rules. Now you can set up your own NAT and firewall rules on Linux to manage lxdbr0. We can verify this using the grep command and ping command:
$ lxc exec fedora-32 -- ping -c1 8.8.8.8
$ sudo /sbin/iptables -S -t nat | grep LXD

Conclusion

In this quick tutorial, we learned about the default NAT and firewall option set for the LXD bridge and how to disable those for advanced customization on the Linux system. See this online documentation for all LXD networking settings.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one


CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum