Thanks Fajar. Always appreciate seeing other people’s input on stuff like this.
> On Apr 27, 2017, at 8:25 PM, Fajar A. Nugraha <l...@fajar.net> wrote: > > On Fri, Apr 28, 2017 at 1:05 AM, Ron Kelley <rkelley...@gmail.com> wrote: > Thanks for the feedback, Spike. After looking around for a while, I, too, > decided a small ubuntu container with a minimal firewall tool is the way to > go. In my case, I used “ufw” but will also look at "firehol”. > > Our firewall/NAT requirements are not very large, and I finally figured out > the right set of rules we need. In essence, we just need to add these to the > /etc/ufw/before.rules file and restart ufw: > > > with ONLY changes to /etc/ufw/before.rules, the NAT rules would be reapplied > (resulting multiple rules on NAT table) whenever you restart ufw. No big deal > if you plan to restart the container anyway on every rule change (or never > plan to change the rules), but not ideal if your plan is to use "ufw reload". > > In my case I had to separate ufw NAT rules into a new custom chain, > ufw-before-prerouting: > > > - edit /etc/ufw/before.init (copy it from /usr/share/ufw/before.init), and > make it executable (e.g. chmod 700). Snippet of edited lines: > > start) > iptables -t nat -N ufw-before-prerouting || true > iptables -t nat -I PREROUTING -j ufw-before-prerouting || true > ;; > stop) > iptables -t nat -D PREROUTING -j ufw-before-prerouting || true > iptables -t nat -F ufw-before-prerouting || true > iptables -t nat -X ufw-before-prerouting || true > ;; > > > > - add NAT lines to /etc/ufw/before.rules to look similar to this: > > # nat Table rules > *nat > :ufw-before-prerouting - [0:0] > > # DNAT example > -A ufw-before-prerouting -i eth0 -p tcp --dport 21122 -j DNAT --to > 10.0.3.211:22 > > > -- > Fajar > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
