Implement additional rules for LXC and DNS communication.

ScIT-Raphael · ScIT-Raphael · commit 21a310bbd63c · 2019-03-10T10:29:14.000+01:00
diff --git a/bin/v-update-firewall b/bin/v-update-firewall
@@ -112,6 +112,21 @@ for line in $(sort -r -n -k 2 -t \' $rules); do
     fi
 done
 
+# Check if is LXC
+if grep --quiet container=lxc /proc/1/environ; then
+    # Get active dns servers /etc/resolv.conf
+    DNS_SERVER=$(cat /etc/resolv.conf  | grep -v '^#' | grep nameserver | awk '{print $2}')
+
+    # Add iptable rules for dns server
+    for ip in $DNS_SERVER
+    do
+        echo "$iptables -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT" >> $tmp
+        echo "$iptables -A INPUT  -p udp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT" >> $tmp
+        echo "$iptables -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT" >> $tmp
+        echo "$iptables -A INPUT  -p tcp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT" >> $tmp
+    done
+fi
+
 # Switching chain policy to DROP
 echo "$iptables -P INPUT DROP" >> $tmp
 
