[lxc-users] LXC container isolation with iptables?

Fajar A. Nugraha list at fajar.net
Wed Feb 28 04:04:26 UTC 2018


On Wed, Feb 28, 2018 at 12:21 AM, bkw - lxc-user
<bkw+1519751212 at 70mpg.org> wrote:
> I have an LXC host.  On that host, there are several unprivileged
> containers.  All containers and the host are on the same subnet, shared via
> bridge interface br0.
>
> If container A (IP address 192.168.1.4) is listening on port 80, can I put
> an iptables rule in place on the LXC host machine, that would prevent
> container B (IP address 192.168.1.5) from having access to container A on
> port 80?
>
> I've tried this set of rules on the LXC host, but they don't work:
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> iptables -A FORWARD -j DROP -s 192.168.1.5 -d 192.168.1.4
>
> Container B still has access to container A's port 80.


That's how generic bridges work.

Some possible ways to achieve what you want:
- don't use bridge. Use routed method. IIRC this is possible in lxc,
but not easy in lxd.
- create separate bridges for each container, e.g with /30 subnet
- use 'external' bridge managed by openvswitch, with additional
configuration (on openvswitch side) to enforce the rule. IIRC there
were examples on this list to do that (try searching the archives)

-- 
Fajar


More information about the lxc-users mailing list