So, at my day job I use hardware firewalls, etc in front of virtual environments and am well versed in security from that front. This question is more for home/small office type environments.
TL;DR - Assuming for simplicity that my IPTables configuration is 100% secure, how secure is LXC on an Ubuntu host box using a container-based iptables (shorewall) firewall, if the external interface has no IP address set?
Full details - I manage some small office environments that are usually using cable or DSL internet access, DHCP, and have little money in their budget for a decent hardware firewall platform, and usually do not want multiple devices, but want full service, (file server, database, mail, intranet web, OpenVPN, etc). I used to use ProxMox and VMware for these guys and just run a security VM with iptables or pfSense firewall.
I have been playing with LXC and it is really something else. What I am trying to find out how secure it is when set up the way I would like to do it. Here is a fully working example running in my home lab right now.
Network config from LXC host below. Diagram attached below that.
Just want to understand fully how this is working before I consider pushing out to a test client.
iface lo inet loopback
# bridge 0 (external wan)
iface eth0 inet manual
iface br0 inet manual
# bridge 1 (internal lan)
iface eth1 inet manual
iface br1 inet static
dns-nameservers 192.168.101.241 192.168.101.242