Table of Contents |
---|
Introduction
By default, your containers are accessible only from the host. For serious use you will want to expose some containers to the outside world. There are various ways of doing this. Currently I have settled on the following,
...
Warning |
---|
Make sure to change the password or better remove the default ubuntu account generated by the lxc creation script before making the container accessible to the Internet. |
UFW
UFW in the Host
UFW is a great simple firewall, but at this point I do not recommend installing on your host if you intend to use port forwarding as there may be conflicts. Second, port forwarding using UFW is overly complex and seems like a hack versus it being very simple with IP Tables.
If you insist on using UFW, make sure to change the setting to not drop forwarded packets. I will revisit this later as I do like UFW. Perhaps I can ask the developers to make port forwarding more straight-forward.
UFW in a Container
Also, firewalls work at the kernel level. So you should not be installing UFW or even IP Tables inside of a container.
...
Trying to enable UFW inside of a container results in a a kernel needs to be upgraded error.
macvtap
This looks promising... The most prominent user of macvtap interfaces seems to be libvirt/KVM, which allows guests to be connected to macvtap interfaces. Doing so allows for (almost) bridged-like behaviour of guests but without the need to have a real bridge on the host, as a regular ethernet interface can be used as the macvtap's lower device.
References
Networking - https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-network
...