How to disable firewall and NAT rules on the LXD bridge

Author: Last updated: October 1, 2020 0 comments
I followed your Ubuntu LXD tutorial, and I noticed LXD automatically created firewall and NAT rules. Is there any way to disable this feature? I want to manage a firewall using custom rule sets. How can I disable firewall and NAT rules on the LXD bridge under Linux?

We can unquestionably maintain firewall rules on the LXD bridge. By default, when LXD is installed on Ubuntu or other Linux distros such as CentOS, it creates a new bridge called lxdbr0. So lxdbr0 network bridge is a handy way for sharing your internet connection between the host and container. Without lxdbr0 you will not be able to access the Internet from outside or inside a Linux container. However, we can disable this default behavior if required.
Tutorial details
Difficulty Advanced (rss)
Root privileges Yes
Requirements Linux with LXD
Time 2m

ADVERTISEMENTS

How to manage firewall rules on the LXD bridge named lxdbr0

We can list default iptables NAT rule as follows:
$ sudo /sbin/iptables -t nat -L POSTROUTING
## IPv6 rules ##
$ sudo /sbin/ip6tables -t nat -L POSTROUTING
How to manage firewall rules on the LXD bridge
Another option is as follows:
$ sudo /sbin/ip6tables -t nat -S
$ sudo /sbin/iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N LIBVIRT_PRT
-A POSTROUTING -s 10.83.200.0/24 ! -d 10.83.200.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

The “-A POSTROUTING -s 10.83.200.0/24 ! -d 10.83.200.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE” is auto-generated rule.

Finding out lxd network settings

Let us see the LXD network list:
$ lxc network list
We get the following interfaces on Linux:

+-----------+----------+---------+----------------+---------------------------+-------------+---------+
|   NAME    |   TYPE   | MANAGED |      IPV4      |           IPV6            | DESCRIPTION | USED BY |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| enp0s31f6 | physical | NO      |                |                           |             | 0       |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| lxdbr0    | bridge   | YES     | 10.83.200.1/24 | fd42:87d0:ec52:7d50::1/64 |             | 25      |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| virbr0    | bridge   | NO      |                |                           |             | 0       |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+

Next, I am going to find out about firewall and nat settings, run:
$ lxc network show lxdbr0
Outputs:

config:
  ipv4.address: 10.83.200.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:87d0:ec52:7d50::1/64
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/alpine
- /1.0/instances/arch
- /1.0/instances/c1
- /1.0/instances/centos-6
...
..
....
- /1.0/instances/ubuntu-20-4
- /1.0/instances/ubuntunginx-test
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

Another option is to find about NAT and firewall settings on the LXD bridge is as follows:
$ lxc network get lxdbr0 ipv4.nat
$ lxc network get lxdbr0 ipv4.firewall

Disabling firewall and NAT rules on the LXD bridge

Here is how we can disable firewall and nat settings on lxdbr0 bridge. Run:
$ lxc network set lxdbr0 ipv4.firewall false
$ lxc network set lxdbr0 ipv4.nat false
## IPv6 settings ##
$ lxc network set lxdbr0 ipv6.firewall false
$ lxc network set lxdbr0 ipv6.nat false

Where:

  • ipv4.firewall : Whether to generate filtering firewall rules for this network.
  • ipv4.nat : Decides whether to NAT (will default to true if unset and a random ipv4.address is generated)
  • ipv6.firewall : Whether to generate filtering firewall rules for this network
  • ipv6.nat : Decides whether to NAT (will default to true if unset and a random ipv6.address is generated)

As soon as you enter the above commands, LXD will remove NAT and firewall rules. Now you can set up your own NAT and firewall rules on Linux to manage lxdbr0. We can verify this using the grep command and ping command:
$ lxc exec fedora-32 -- ping -c1 8.8.8.8
$ sudo /sbin/iptables -S -t nat | grep LXD
Linux disable firewall and NAT rules on the LXD bridge lxc command

Conclusion

In this quick tutorial, we learned about the default NAT and firewall option set for the LXD bridge and how to disable those for advanced customization on the Linux system. See this online documentation for all LXD networking settings.

This entry is 18 of 19 in the LXD Tutorial series. Keep reading the rest of the series:
  1. Install LXD container hypervisor on Ubuntu 16.04 LTS
  2. How to install and setup LXC (Linux Container) on Fedora Linux 26
  3. Set up LXD container under KVM or Xen virtual machine
  4. List VM images in LXD (Linux Containers)
  5. Upgrade LXD containers powered by Ubuntu/Debian or CentOS Linux
  6. Auto start LXD containers at boot time in Linux
  7. Command to rename LXD / LXC container
  8. Run commands on Linux Container (LXD) instance at provision launch time
  9. Use LXD (Linux containers) in a shell script to create VM when the cloud instance launches
  10. Move/migrate LXD VM to another host on Linux
  11. Fedora install and set up LXD
  12. CentOS 7.x install and set up LXD server
  13. Install LXD pure-container hypervisor on Ubuntu 18.04 LTS
  14. Create snapshots with lxc command for LXD
  15. Set up and install LXD on CentOS/RHEL 8
  16. Ubuntu 20.04 LTS install and set up LXD
  17. Full backup and restore LXD containers
  18. Disable firewall and NAT rules on the LXD bridge
  19. Delete or remove LXD container using the lxc

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: