LXC Ipfilter-net IP spoofing tests

EuroDomenii

EuroDomenii

Renowned Member
Sep 30, 2016
145
36
68
Slatina
www.domenii.eu
I wanted to test the efficiency of Ipfilter-net for container.

Inside the container, after running the following command ( from https://sandilands.info/sgordon/address-spoofing-with-iptables-in-linux), spoofing the ip, all output network activity is blocked ( ping etc).

Code: 
iptables -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1

The most interesting fact is that the output is blocked, even without activating general IP Filter option in the VM’s firewall’s options tab https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#pve_firewall_ipfilter_section

Running the same iptables command from Proxmox host, doesn’t block output.

Something at LXC level is blocking outgoing spoofed connection, without ipfilter option. What is it?

Thank you!
 
EuroDomenii said:
I wanted to test the efficiency of Ipfilter-net for container.

Inside the container, after running the following command ( from https://sandilands.info/sgordon/address-spoofing-with-iptables-in-linux), spoofing the ip, all output network activity is blocked ( ping etc).

Code: 
iptables -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1


Something at LXC level is blocking outgoing spoofed connection, without ipfilter option. What is it?
Click to expand...

Did you check it by following the packets via tcpdump? Of course, you will not get any answer - in the above mentioned example all packets back will (attempted to) be sent to 1.1.1.1 ......
 
You must log in or register to reply here.
Top Bottom