[lxc-users] network isolation / per-container network
Andrey Repin
anrdaemon at yandex.ru
Wed Jun 6 18:01:07 UTC 2018
Greetings, Lukas Pirl!
> tl;dr: How to block traffic between containers? A bridge & subnet each?
The relevantly TL;DR answer requires a bit more than your "TL;DR".
> I have a host which masquerades all packages to/from containers, since
> I am restricted to one external IP address.
Where do you do masquerading? On the same host? On an external router?
> Currently, the containers share a subnet and can hence communicate with
> each other.
That's not necessarily true.
Neither it is necessarily bad.
Please think twice before enforcing such policies in your system.
> They have a veth each and share a bridge on the host side.
> However, I want to fully control the traffic from/to/between the
> containers from the host (i.e., iptables/netfilter).
> Would having a subnet and a bridge on the host side per container be
> the most "elegant" way to gain full control over the traffic between
> containers? It feels a bit cumbersome/overkill.
Any solution to your request would be cumbersome.
ipip tunnels, ethernet level filtering, separate interfaces.
> (Please CC me directly, since I am not subscribed to lxc-users)
You can read archives, if you are so inclined to abstain from the
conversation.
Please reply to your own mails at least to maintain threading consistency.
--
With best regards,
Andrey Repin
Wednesday, June 6, 2018 20:55:41
Sorry for my terrible english...
More information about the lxc-users
mailing list