Am 30.01.2014 um 18:52 schrieb Leonid Isaev <[email protected]>: > On Thu, 30 Jan 2014 11:21:12 +0100 > Thomas Huber <[email protected]> wrote: > >> Hi out there, >> >> is it a good idea to setup a kind of virtual router inside a LXC? >> I got a server with dual 1Gbit Nic and the server should run several >> services. I also would like to use it as a router and a thought it would be >> quite nice to set it up inside a LXC by mapping the WAN-port with >> "lxc.network.type = phys“ to the Container. >> >> first of all: is this a good idea? >> > > So, 1st NIC is WAN and another is LAN? Then you'll have to create a bridge on > the host, add the LAN inteface to it (and whatever VM interfaces), and tell > the > container to route traffic between WAN and this bridge. Is that what you want > to do?
Yes, thats the idea. > > This is doable (I need to think about how to best accomplish this), albeit > rather complex (and complexity is bad for security). Note that router itself > is > in principle unbreakable because the only services it runs is dnsmasq/dhcpd > and > ssh which can be locked down. So, if you are trying to protect the host, you > won't accomplish much. OTOH, what if there is a problem with LXC > userspace/kernel components which prevent containers from starting? > > Therefore I'd avoid complexity and do the routing in the host, while putting > other services in containers/VMs. At least that is the setup I converged to > after lots of trials and errors. I see your point and thats why I´m asking. The Idea was not only to protect the host but also the other running service / VMs: - KVM with Window2008R2 an MS-SQL running inside - a service for Wifi-Managment with multiple accesspoint running inside JVM - samba would your start the services just with lxc-execute or setup a complete container? > > HTH, > L. > >> second: is it possible to do all the firewalling inside the LXC or is it >> better (more secure) to do this at the host? >> >> Thanks and all the best >> mirac >> _______________________________________________ >> lxc-users mailing list >> [email protected] >> http://lists.linuxcontainers.org/listinfo/lxc-users > > > > -- > Leonid Isaev > GnuPG key: 0x164B5A6D > Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
