We can unquestionably maintain firewall rules on the LXD bridge. By default, when LXD is installed on Ubuntu or other Linux distros such as CentOS, it creates a new bridge called lxdbr0. So lxdbr0 network bridge is a handy way for sharing your internet connection between the host and container. Without lxdbr0 you will not be able to access the Internet from outside or inside a Linux container. However, we can disable this default behavior if required.
Tutorial details | |
---|---|
Difficulty | Advanced (rss) |
Root privileges | Yes |
Requirements | Linux with LXD |
Time | 2m |
How to manage firewall rules on the LXD bridge named lxdbr0
We can list default iptables NAT rule as follows:
$ sudo /sbin/iptables -t nat -L POSTROUTING
## IPv6 rules ##
$ sudo /sbin/ip6tables -t nat -L POSTROUTING
Another option is as follows:
$ sudo /sbin/ip6tables -t nat -S
$ sudo /sbin/iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N LIBVIRT_PRT
-A POSTROUTING -s 10.83.200.0/24 ! -d 10.83.200.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
The “-A POSTROUTING -s 10.83.200.0/24 ! -d 10.83.200.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE” is auto-generated rule.
Finding out lxd network settings
Let us see the LXD network list:
$ lxc network list
We get the following interfaces on Linux:
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| NAME | TYPE | MANAGED | IPV4 | IPV6 | DESCRIPTION | USED BY |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| enp0s31f6 | physical | NO | | | | 0 |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| lxdbr0 | bridge | YES | 10.83.200.1/24 | fd42:87d0:ec52:7d50::1/64 | | 25 |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
| virbr0 | bridge | NO | | | | 0 |
+-----------+----------+---------+----------------+---------------------------+-------------+---------+
Next, I am going to find out about firewall and nat settings, run:
$ lxc network show lxdbr0
Outputs:
config: ipv4.address: 10.83.200.1/24 ipv4.nat: "true" ipv6.address: fd42:87d0:ec52:7d50::1/64 ipv6.nat: "true" description: "" name: lxdbr0 type: bridge used_by: - /1.0/instances/alpine - /1.0/instances/arch - /1.0/instances/c1 - /1.0/instances/centos-6 ... .. .... - /1.0/instances/ubuntu-20-4 - /1.0/instances/ubuntunginx-test - /1.0/profiles/default managed: true status: Created locations: - none
Another option is to find about NAT and firewall settings on the LXD bridge is as follows:
$ lxc network get lxdbr0 ipv4.nat
$ lxc network get lxdbr0 ipv4.firewall
Disabling firewall and NAT rules on the LXD bridge
Here is how we can disable firewall and nat settings on lxdbr0 bridge. Run:
$ lxc network set lxdbr0 ipv4.firewall false
$ lxc network set lxdbr0 ipv4.nat false
## IPv6 settings ##
$ lxc network set lxdbr0 ipv6.firewall false
$ lxc network set lxdbr0 ipv6.nat false
Where:
- ipv4.firewall : Whether to generate filtering firewall rules for this network.
- ipv4.nat : Decides whether to NAT (will default to true if unset and a random ipv4.address is generated)
- ipv6.firewall : Whether to generate filtering firewall rules for this network
- ipv6.nat : Decides whether to NAT (will default to true if unset and a random ipv6.address is generated)
As soon as you enter the above commands, LXD will remove NAT and firewall rules. Now you can set up your own NAT and firewall rules on Linux to manage lxdbr0. We can verify this using the grep command and ping command:
$ lxc exec fedora-32 -- ping -c1 8.8.8.8
$ sudo /sbin/iptables -S -t nat | grep LXD
Conclusion
In this quick tutorial, we learned about the default NAT and firewall option set for the LXD bridge and how to disable those for advanced customization on the Linux system. See this online documentation for all LXD networking settings.
- Install LXD container hypervisor on Ubuntu 16.04 LTS
- How to install and setup LXC (Linux Container) on Fedora Linux 26
- Set up LXD container under KVM or Xen virtual machine
- List VM images in LXD (Linux Containers)
- Upgrade LXD containers powered by Ubuntu/Debian or CentOS Linux
- Auto start LXD containers at boot time in Linux
- Command to rename LXD / LXC container
- Run commands on Linux Container (LXD) instance at provision launch time
- Use LXD (Linux containers) in a shell script to create VM when the cloud instance launches
- Move/migrate LXD VM to another host on Linux
- Fedora install and set up LXD
- CentOS 7.x install and set up LXD server
- Install LXD pure-container hypervisor on Ubuntu 18.04 LTS
- Create snapshots with lxc command for LXD
- Set up and install LXD on CentOS/RHEL 8
- Ubuntu 20.04 LTS install and set up LXD
- Full backup and restore LXD containers
- Disable firewall and NAT rules on the LXD bridge
- Delete or remove LXD container using the lxc
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 0 comments... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |