[systemd-devel] Fwd: container networking and iptables

Andy Pieters Pieters.Andy+systemd at gmail.com
Thu Nov 26 00:29:59 PST 2015 

Hi Johannes

You can make the changes w/o tearing down the iptables.

I must admit I have been known to make changes directly to the iptables
rules file myself, but reloading the firewall for every change isn't always
practicable.

Because of that I have adopted a policy of making the change to the running
firewall, and then doing a iptables-save > /etc/iptables/iptables.rules

The reason the container's networking breaks when you restart iptables is
that the masquerade rule is added to the running iptables only and not
written to the file.

Bear in mind though that if you do save iptables with iptables-save ...
whilst your container is running, the masquerade rule will also be saved.


Hope this helps


On 21 November 2015 at 04:36, Johannes Ernst <johannes.ernst at gmail.com>
wrote:

> Setting IPMasquerade on a systemd-managed interface (e.g. for running an
> nspawn container) automatically sets up a “masquerade" netfilter entry. If
> an iptables ruleset exists already, it adds to it. (I think)
>
> But what if I want to change other my firewall rules (unrelated to the
> container) without breaking the container’s networking? How would I add the
> systemd-generate rule to be added back in?
>
> Example (in Arch):
>
> 1. System boots
> 2. systemd starts iptables.service, which reads its rules from
> /etc/iptables/iptables.rules
> 3. I start a container with nspawn -n, so networkd adds the equivalent of
>     -A POSTROUTING -s 10.0.0.0/28 -j MASQUERADE
> to the ruleset. (At least I think it does.) Everything works fine.
>
> 4. I change my firewall rules by editing /etc/iptables/iptables.rules
> 5. system restart iptables
>
> and voila, my container’s network is broken.
>
> It’d be nice if there were some kind of saying:
>     cat /etc/iptables/iptables.rules /run/systemd/iptables/rules |
> iptables-restore
> in iptables.service.
>
> Or is there some other way of accomplishing this?
>
> Thanks,
>
>
>
> Johannes.
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20151126/07a1bced/attachment.html>

More information about the systemd-devel mailing list