2

I have two interfaces: eth0 (public address) and lxcbr0 with 10.0.3.1.
I have a LXC guest running with ip 10.0.3.10

This is my firehol config:

version 5

trusted_ips=`/usr/local/bin/strip_comments /etc/firehol/trusted_ips`
trusted_servers=`/usr/local/bin/strip_comments /etc/firehol/trusted_servers`

blacklist full `/usr/local/bin/strip_comments /etc/firehol/blacklist`

interface lxcbr0 virtual
    policy return 
    server "dhcp dns" accept 

router virtual2internet inface lxcbr0 outface eth0
    masquerade
    route all accept

interface any world
    protection strong

    #Outgoing these protocols are allowed to everywhere
    client "smtp pop3 dns ntp mysql icmp" accept

    #These (incoming) services are available to everyone
    server "http https smtp ftp imap imaps pop3 pop3s passiveftp" accept

    #Outgoing, these protocols are only allowed to known servers
    client "http https webcache ftp ssh pyzor razor" accept dst "${trusted_servers}"

On my host I can connect only to "trusted servers" on port 80. In my guest I can connect to port 80 on every host. I assumed that firehol would block that.

Is there something I can add/change so that my guest(s) inherit the rules of the eth0 interface?

Leon
  • 121
  • 3

1 Answers1

1

You want to turn on the net.bridge.bridge-nf-call-iptables sysctl, which will run bridged packets through iptables before passing them on. You may need to setup separate rules, depending on how your bridge is setup, but you definitely can filter packets through a bridge using iptables if you turn on that sysctl.

womble
  • 96,255
  • 29
  • 175
  • 230
  • `root@silke:~# sysctl net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-iptables = 1` I can change `route all accept` to `route "http smtp" accept` but I would be nice if the rules of the eth0 interface could be used somehow. – Leon Jul 07 '12 at 21:31
  • Well, crack open the kernel source and go for your life. – womble Jul 08 '12 at 03:53