[lxc-users] network isolation / per-container network

[Andrey Repin]

Greetings, Lukas Pirl!

> tl;dr: How to block traffic between containers? A bridge & subnet each?

The relevantly TL;DR answer requires a bit more than your "TL;DR".

> I have a host which masquerades all packages to/from containers, since
> I am restricted to one external IP address.

Where do you do masquerading? On the same host? On an external router?

> Currently, the containers share a subnet and can hence communicate with
> each other.

That's not necessarily true.
Neither it is necessarily bad.
Please think twice before enforcing such policies in your system.

> They have a veth each and share a bridge on the host side.

> However, I want to fully control the traffic from/to/between the
> containers from the host (i.e., iptables/netfilter).

> Would having a subnet and a bridge on the host side per container be
> the most "elegant" way to gain full control over the traffic between
> containers? It feels a bit cumbersome/overkill.

Any solution to your request would be cumbersome.
ipip tunnels, ethernet level filtering, separate interfaces.

> (Please CC me directly, since I am not subscribed to lxc-users)

You can read archives, if you are so inclined to abstain from the
conversation.
Please reply to your own mails at least to maintain threading consistency.


-- 
With best regards,
Andrey Repin
Wednesday, June 6, 2018 20:55:41

Sorry for my terrible english...