[lxc-users] LXC container isolation with iptables?

Jan Kowalsky jankow at datenkollektiv.net
Thu Mar 1 20:18:35 UTC 2018



Am 28.02.2018 um 05:04 schrieb Fajar A. Nugraha:
> On Wed, Feb 28, 2018 at 12:21 AM, bkw - lxc-user
> <bkw+1519751212 at 70mpg.org> wrote:
>> I have an LXC host.  On that host, there are several unprivileged
>> containers.  All containers and the host are on the same subnet, shared via
>> bridge interface br0.
>>
>> If container A (IP address 192.168.1.4) is listening on port 80, can I put
>> an iptables rule in place on the LXC host machine, that would prevent
>> container B (IP address 192.168.1.5) from having access to container A on
>> port 80?
>>
>> I've tried this set of rules on the LXC host, but they don't work:
>>
>> iptables -P INPUT DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT ACCEPT
>> iptables -A FORWARD -j DROP -s 192.168.1.5 -d 192.168.1.4
>>
>> Container B still has access to container A's port 80.
> 
> 
> That's how generic bridges work.
> 
> Some possible ways to achieve what you want:
> - don't use bridge. Use routed method. IIRC this is possible in lxc,
> but not easy in lxd.
> - create separate bridges for each container, e.g with /30 subnet
> - use 'external' bridge managed by openvswitch, with additional
> configuration (on openvswitch side) to enforce the rule. IIRC there
> were examples on this list to do that (try searching the archives)

you could also use the --physdev-in / --physdev-out extension of
iptables to address the devices of the containers directly. Of course
you have to fix the device name of the network devices with
lxc.network.veth.pair. Problem could be that according to manpage
lxc.container.conf this seems not possible for unprivileged containers.
For this reason probably also the routed method could hve it's difficulties.

Regards
Jan


More information about the lxc-users mailing list