I have a Linux container which has an interface which acts as a bridge to ioulive86 (https://github.com/jlgaddis/ioulive86). Its function is to bridge Virtual Routers to interfaces (in this case an interface of an LXC container).
I wanted to use VM firewall rules to give the ability to lock down these Virtual Routers inside this container and limit both their outbound and their inbound connectivity.
Inbound worked just fine, set the default to REJECT or DROP and I was able to create rules to just allow particular IPs or ports access. Outbound, however, was another story. Nothing initiated from the "guest" inside that container could get out... I started troubleshooting on the PVE node and noticed the firewall configuration for the LXC has a conditional DROP in front of all other rules that will drop any packets which are not sourced from the MAC of that LXC interface. In my case, since I'm bridging the source will be a MAC behind that LXC MAC and will never make it past that rule.
Of course, it's clear that my udp/1812 rule will never fire for those "guests" as they'll never match at MAC (obfuscated).
Figured I'd bring this up in case someone else is running up against this. It would be nice if this could be supported ni some way.
I wanted to use VM firewall rules to give the ability to lock down these Virtual Routers inside this container and limit both their outbound and their inbound connectivity.
Inbound worked just fine, set the default to REJECT or DROP and I was able to create rules to just allow particular IPs or ports access. Outbound, however, was another story. Nothing initiated from the "guest" inside that container could get out... I started troubleshooting on the PVE node and noticed the firewall configuration for the LXC has a conditional DROP in front of all other rules that will drop any packets which are not sourced from the MAC of that LXC interface. In my case, since I'm bridging the source will be a MAC behind that LXC MAC and will never make it past that rule.
root@pve2:/var/log# iptables -nvL veth112i1-OUT
Chain veth112i1-OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 PVEFW-SET-ACCEPT-MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] udp spt:68 dpt:67
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MAC ! 11:11:11:11:11:11
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0x7fffffff
0 0 PVEFW-SET-ACCEPT-MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] udp dpt:1812
0 0 PVEFW-SET-ACCEPT-MARK all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:weoiwoewijweoiewgeweio */
Chain veth112i1-OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 PVEFW-SET-ACCEPT-MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] udp spt:68 dpt:67
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MAC ! 11:11:11:11:11:11
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0x7fffffff
0 0 PVEFW-SET-ACCEPT-MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] udp dpt:1812
0 0 PVEFW-SET-ACCEPT-MARK all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:weoiwoewijweoiewgeweio */
Of course, it's clear that my udp/1812 rule will never fire for those "guests" as they'll never match at MAC (obfuscated).
Figured I'd bring this up in case someone else is running up against this. It would be nice if this could be supported ni some way.