# Setup LXC on debian 10

Install packages and add unprivileged user
```
apt install lxc libvirt0 libpam-cgfs bridge-utils uidmap
useradd lxcuser
cat /etc/s*id|grep lxcuser
```

Put the following in /etc/default/lxc-net 
```
USE_LXC_BRIDGE="true"
```

Put the following in /etc/lxc/default.conf 
```
lxc.idmap = u 0 <Replace with output of cat> <Replace with output of cat>
lxc.idmap = g 0 <Replace with output of cat> <Replace with output of cat>
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 1
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
```

Give root acces to unprivileged user space
```
echo "root:<Replace with output of cat>:<Replace with output of cat>" >> /etc/subuid
echo "root:<Replace with output of cat>:<Replace with output of cat>" >> /etc/subgid 
```

Enable and start lxc network service 
```
systemctl enable --now lxc-net
```
enable unprivileged user namespaces for kernels < 5.10
```
echo kernel.unprivileged_userns_clone=1 >> /etc/sysctl.conf
sysctl -p
```


# Extra config KB
* Create Container `lxc-create -t download -n <CTName> -- -d debian -r buster -a amd64`
* Container config `/var/lib/lxc/<CTName>/config`
* add to Container config to start on boot `lxc.start.auto = 1`
* add to Container config for static ip
```
lxc.net.0.ipv4.address = 10.0.3.<IP>/24
lxc.net.0.ipv4.gateway = 10.0.3.1
```


# UFW forwarding

also dont forget to add the extenal port as allow rule
add to /etc/ufw/before.rules

to begin of file before *filter
```
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i enp0s3 -p tcp --dport <extenal port> -j DNAT --to <ctip>:<internalport>
COMMIT
```

to end of file before last COMMIT
```
#LXC forwards
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
```