prevent flushing of iptables from lxc.service when csf restarts

1 post Page 1 of 1
Junior Member
Posts: 9
Joined: 21 Apr 2018, 21:52

lxc.service (lxc containers) comes with its own set of iptables which are loaded when lxc.service starts. since csf is flushing the iptable entirely when restarted the lxc container(s) loosing connectivity.

lxc.service does not provide for a
Code: Select all
but only
Code: Select all
which in turn is killing any active container and thus interrupting any service provided by a lxc container. Which is most inconvenient.

The lxc iptable rules are stipulated in
Code: Select all
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

Probably best practice is to restart the lxc container(s) through
Code: Select all
1 post Page 1 of 1