Hi,

Sorry for the wall of text but I was wondering if someone could give me a few pointers because I'm struggling to understand how a Debian 9 host with libvirt-lxc containers handles networking and iptables.

I currently have a Stretch host on which I installed libvirt-lxc and created half a dozen containers. I installed iptables on the host and locked the server down to allow stuff like loopback, broadcast, traceroute, ping, igmp, dns, dhcp, ssh and a couple more. I worked out the precise rules that were needed by redirecting the logging of dropped packets to an iptables.log file and monitoring it while making the connections I needed.

I then installed xtables-addons and tried to set up rules for GeoIP and port scan blocking. It didn't work. It just blocked everything blaming GeoIP. When I checked the .csvs, they were correctly identifying the origin country, ruling out false positives. iptables was still blocking traffic instead of passing it though.

After deciding to move on and come back to that problem later, I then configured one of the containers. I used the same method of logging dropped traffic and adjusting rules accordingly and got all of its services internet enabled. GeoIP blocks wouldn't work on this container either.

I then configured a third container, installed iptables, configured logging like I had on the previous container (and on the host server) and saw nothing in the logs. The iptables.log never got created and nothing was appearing in the kern.log either. I installed GeoIP on this container but that wouldn't work either.

So... I then went back to the host machine and got GeoIP working. I ripped it all out, rebooted, re-installed and then it complained about an invalid chain name. I rebooted again and it spring into life. I checked from two different countries and both were blocked while my home nation worked. Success!... or so I thought.

So here's the bit I don't understand. I was expecting to have to make the same changes to the containers. However, after fixing the host, the containers also started blocking non-home nations. I'd already rebooted the containers multiple times while trying to diagnose the issue, so I'm 99% certain that it was rebooting the host that fixed things, rather then stop/starting the containers themselves.

I was expecting everything to fall into place after that, but the containers are logging dropped traffic inconsistently. If I flush the iptables and create 'Accept everything + Log it' rules for In/For/Out, I still don't see anything in kern.log or the iptables.log on ones of the containers.

Does it not work like that at all? I've just checked one of the containers' kern.log file and even though it claims it's from the local container, it's showing traffic which should only hit the host. Is that's what's happening? The container is showing the hosts logs? They appear to be separate files on the file system.

Or should I think of it as all the containers IPs actually live on the host and configure the iptables there? If I check the logs there though, nothing which is destined for the containers shows up.

I'm just at a loss at how much containers are separated from the host.

Thanks if you managed to read this far!

Edit: So after a bunch of testing, I found that logging of packets was only happening inside one of the containers... The logs on the host showed nothing. I purged iptables from this container and it was still logging packets for the host to kern.log! I removed iptables from everything and re-installed on the host. Normal logging service was resumed.

This leaves me in an awkward position. If I can't install iptables inside the containers without it affecting the host, then how do I harden the security for the container that connects the VPN?

Edit 2: Is this due to the container not having user namespace mappping enabled? It throws an error when I attempt to enable in on a current container, or when installing a new container from scratch... I'll get that working and test from an unprivileged container.