How to implement iptables on lxc-container?

Question

I installed lxc-container (fedora 29 amd64) on my ubuntu 18.04 system. The linux container had no firewall command line tools. Therefore I installed iptables into my container and it installed successfully.

However I tried to configure the interfaces to drop all incoming and outgoing packets which did not work. I am giving you all the details here.

The command ip \a gave;

[root@fedora29 ~]# ip \a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:4c:d8:bf brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.3.52/24 brd 10.0.3.255 scope global dynamic eth0
       valid_lft 3456sec preferred_lft 3456sec
    inet6 fe80::216:3eff:fe4c:d8bf/64 scope link 
       valid_lft forever preferred_lft forever

I have iptables rules as follows;

[root@fedora29 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    

Therefore I added the following two rules

iptables --table filter --append INPUT --in-interface eth0@if8 --jump DROP
iptables --table filter --append OUTPUT --out-interface eth0@if8 --jump DROP

When I finally saved the configuration with

 iptables-save

[root@fedora29 ~]# iptables-save
# Generated by iptables-save v1.8.0 on Wed Feb 20 08:41:43 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0@if8 -j DROP
-A OUTPUT -o eth0@if8 -j DROP
COMMIT
# Completed on Wed Feb 20 08:41:43 2019

However the same worked fine with my ubuntu host system, where the interface is named lxcbr0.

Answer 1

Just remove @if8 from the interface name in your rules, because it's not part of the interface name. The interface name is just eth0.

@if8 is a clue given about the link peer interface, and is dynamic: for example it could change after container restart.

For more information on the meaning of @if8 you can see my answer there:
What does “if1@if2” mean in interface name in output of “ip address” command on Ubuntu

Answer 2

Firstly I need to thank @A.B for his response as it cleared my issue. While I tried using policy for the built-in chain without giving the interface it worked.....

[root@fedora29 ~]# iptables --table filter --policy INPUT DROP
[root@fedora29 ~]# iptables --table filter --policy OUTPUT DROP
[root@fedora29 ~]# iptables-save > /etc/network/iptables 
[root@fedora29 ~]# iptables-apply /etc/network/iptables 
Applying new ruleset... done.
Can you establish NEW connections to the machine? (y/N) y
... then my job is done. See you next time.

However when i tried to list the rules using iptables -L i did observe that no new rules were created but the policy of the rules are modified as shown...

[root@fedora29 ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
[root@fedora29 ~]# ping 10.0.3.1
PING 10.0.3.1 (10.0.3.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

--- 10.0.3.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 23ms

[root@fedora29 ~]# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP