[lxc-users] preventing multiple networks to connect to each other?
Mike Wright
nobody at nospam.hostisimo.com
Sun Oct 1 18:25:00 UTC 2017
On 10/01/2017 10:59 AM, Tomasz Chmielewski wrote:
> I would like to have several networks on the same host - so I've created
> them with:
>
> # lxc network create br-testing
> # lxc network create br-staging
>
>
> Then edited to match:
>
> # lxc network show br-staging
> config:
> ipv4.address: 10.191.0.1/24
> ipv4.dhcp.ranges: 10.191.0.50-10.191.0.254
> ipv4.nat: "false"
>
> # lxc network show br-testing
> config:
> ipv4.address: 10.190.0.1/24
> ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254
> ipv4.nat: "false"
>
>
> The problem is I'd like these network to be separated - i.e. containers
> using br-staging bridge should not be able to connect to br-testing
> containers, and the other way around. Both networks should be able to
> connect to hosts in the internet.
>
>
> Is there any easy switch for that? So far, one thing which works is
> write my own iptables rules, but that gets messy with more networks.
Is there any reason to keep them on the same subnet? How about: to the
host 10.191.0.0/23 (or larger), then the subnets: 10.191.0.0/24 and
10.191.1.0/24. Then iptables could easily block them from each other:
-s 10.191.0.0/24 -d 10.191.1.0/24 -j DROP and -s 10.191.1.0/24 -d
10.191.0.0/24 -d DROP.
More information about the lxc-users
mailing list