search

YunoHost-Apps / lxd_ynh

LXD package for YunoHost
https://linuxcontainers.org
GNU General Public License v3.0
10 stars 3 forks source link

IPTABLES not implemented after lxd init #65

Open yalh76 opened 1 year ago

yalh76 commented 1 year ago

Describe the bug

After lxd init on a bullseye, iptables rules are not created. @Kayou proposed a solution Not sure it's still the case

#!/bin/bash

iptables -w -A INPUT -i lxdbr0 -p icmp -m icmp --icmp-type 12 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A INPUT -i lxdbr0 -p icmp -m icmp --icmp-type 11 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A INPUT -i lxdbr0 -p icmp -m icmp --icmp-type 3 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT

iptables -w -A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p icmp -m icmp --icmp-type 12 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p icmp -m icmp --icmp-type 11 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p icmp -m icmp --icmp-type 3 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p tcp -m tcp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p udp -m udp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
iptables -w -A OUTPUT -o lxdbr0 -p udp -m udp --sport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT

iptables -w -A POSTROUTING -s __LXDBR0_NETWORK_ADDRESS__.0/24 ! -d __LXDBR0_NETWORK_ADDRESS__.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
iptables -w -A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill

exit 0
kay0u commented 1 year ago

Yes, i still have this file in /etc/yunohost/hooks.d/post_iptable_rules/95-lxd-custom and it works.

Another solution, is to run systemctl restart lxd.service when yunohost-firewall restart (replace all iptables lines with this command in /etc/yunohost/hooks.d/post_iptable_rules/95-lxd-custom. But i don't think it's something we want because there will be a down time on each containers

anmol26s commented 2 months ago

Thanks, it works. @kay0u your work saves a lot of time. How can make it permanent? I will have to run it every time firewall reloads.