prevent flushing of iptables from lxc.service when csf restarts

1 post Page 1 of 1
n8v8r
Junior Member
Posts: 9
Joined: 21 Apr 2018, 21:52


lxc.service (lxc containers) comes with its own set of iptables which are loaded when lxc.service starts. since csf is flushing the iptable entirely when restarted the lxc container(s) loosing connectivity.

lxc.service does not provide for a
Code: Select all
reload
but only
Code: Select all
restart
which in turn is killing any active container and thus interrupting any service provided by a lxc container. Which is most inconvenient.

The lxc iptable rules are stipulated in
Code: Select all
/usr/lib/x86_64-linux-gnu/lxc/lxc-net
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
---

Probably best practice is to restart the lxc container(s) through
Code: Select all
csfpost.sh
1 post Page 1 of 1