prevent flushing of iptables from lxc.service when csf restarts

Post Reply
n8v8r
Junior Member
Posts: 9
Joined: 21 Apr 2018, 21:52

prevent flushing of iptables from lxc.service when csf restarts

Post by n8v8r »

lxc.service (lxc containers) comes with its own set of iptables which are loaded when lxc.service starts. since csf is flushing the iptable entirely when restarted the lxc container(s) loosing connectivity.

lxc.service does not provide for a

Code: Select all

reload
but only

Code: Select all

restart
which in turn is killing any active container and thus interrupting any service provided by a lxc container. Which is most inconvenient.

The lxc iptable rules are stipulated in

Code: Select all

/usr/lib/x86_64-linux-gnu/lxc/lxc-net
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
---

Probably best practice is to restart the lxc container(s) through

Code: Select all

csfpost.sh

Post Reply