Debian LXC with Firewalld - hpaluch/hpaluch.github.io GitHub Wiki

Debian LXC with firewalld

[!WARNING] It is not officially supported! Main problem is that startup service script /usr/libexec/lxc/lxc-net directly manipulates nftables (if nft program works) or iptables which may clash with firewalld

So first install:

sudo apt-get install firewalld lxc

Firewalld will be automatically started, but there is no zone assigned to main interface ( in my case eth0). In my case I have to set:

sudo firewall-cmd --permanent --zone=public --add-interface=eth0
firewall-cmd --reload

Now I have to create dedicated zone lxc for lxcbr0 bridge:

z=lxc
if=lxcbr0
firewall-cmd --permanent --new-zone=$z
firewall-cmd --permanent --zone=$z --add-interface=$if
firewall-cmd --permanent --zone=$z --add-service={dhcp,ssh,dns}
firewall-cmd --reload

We need to also create policy that will allow flow from zone lxc to zone public with active forward and NAT (see https://firewalld.org/2020/09/policy-objects-introduction):

p=lxc2pub
firewall-cmd --permanent --new-policy $p
firewall-cmd --permanent --policy $p --add-ingress-zone lxc
firewall-cmd --permanent --policy $p --add-egress-zone public
firewall-cmd --permanent --policy $p --set-target ACCEPT
firewall-cmd --permanent --policy $p --add-masquerade
firewall-cmd --reload

Next we will create Ubuntu container (warning - default version is 16, which is very old):

# long/wrong way:
lxc-create -n ubu-1 -t ubuntu

# better way:
/usr/share/lxc/templates/lxc-download -l  # lists available images
lxc-create -n ubu1 -t download -- -d ubuntu -r noble -a amd64

lxc-start ubu-1
lxc-attach ubu-1

You may need to start DHCP client with /sbin/ifup eth0 - it should work.

In my case I have to rm -f /etc/resolv.conf (was systemd link, which is wrong for that version) and simply created new /etc/resolv.conf with single line: nameserver 10.0.3.1 (there is listening dnsmasq that provides both DHCP and DNS server).

Finally you can try apt-get update to see if it works...

Limitations

Firewalld in Debian does not support packet/bytes counters when using nftables backend (while iptables automatically count it for every rules and can be seen with -v option).

Fortunately there is PR on GitHub: https://github.com/firewalld/firewalld/pull/1134 that wes merged on Jun 2, 2023. However it is not yet included in Debian 12 (Dec 2024)