Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPTABLES not implemented after lxd init #65

Open
yalh76 opened this issue Jan 19, 2023 · 2 comments
Open

IPTABLES not implemented after lxd init #65

yalh76 opened this issue Jan 19, 2023 · 2 comments

Comments

@yalh76
Copy link
Member

yalh76 commented Jan 19, 2023
edited
Loading

Describe the bug

After lxd init on a bullseye, iptables rules are not created. @Kayou proposed a solution
Not sure it's still the case

#!/bin/bash

iptables -w -A INPUT -i lxdbr0 -p icmp -m icmp --icmp-type 12 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A INPUT -i lxdbr0 -p icmp -m icmp --icmp-type 11 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A INPUT -i lxdbr0 -p icmp -m icmp --icmp-type 3 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT

iptables -w -A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p icmp -m icmp --icmp-type 12 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p icmp -m icmp --icmp-type 11 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p icmp -m icmp --icmp-type 3 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p tcp -m tcp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p udp -m udp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p udp -m udp --sport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT

iptables -w -A POSTROUTING -s __LXDBR0_NETWORK_ADDRESS__.0/24 ! -d __LXDBR0_NETWORK_ADDRESS__.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
iptables -w -A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill

exit 0
@kay0u
Copy link
Member

kay0u commented Jan 27, 2023

Yes, i still have this file in /etc/yunohost/hooks.d/post_iptable_rules/95-lxd-custom and it works.

Another solution, is to run systemctl restart lxd.service when yunohost-firewall restart (replace all iptables lines with this command in /etc/yunohost/hooks.d/post_iptable_rules/95-lxd-custom. But i don't think it's something we want because there will be a down time on each containers

@anmol26s
Copy link

anmol26s commented Sep 6, 2024

Thanks, it works. @kay0u your work saves a lot of time.
How can make it permanent? I will have to run it every time firewall reloads.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kay0u @anmol26s @yalh76