[lxc-users] LXC container isolation with iptables?

Steven Spencer sspencerwire at gmail.com
Sat Mar 3 23:26:53 UTC 2018


Honestly, unless I'm spinning up a container on my local desktop, I always
use the routed method. Because our organization always thinks of a
container as a separate machine, it makes the build pretty similar whether
the machine is on the LAN or WAN side of the network. It does, of course,
require that each container run its own firewall, but that's what we would
do with any machine on our network.

On Thu, Mar 1, 2018 at 2:18 PM, Jan Kowalsky <jankow at datenkollektiv.net>
wrote:

>
>
> Am 28.02.2018 um 05:04 schrieb Fajar A. Nugraha:
> > On Wed, Feb 28, 2018 at 12:21 AM, bkw - lxc-user
> > <bkw+1519751212 at 70mpg.org> wrote:
> >> I have an LXC host.  On that host, there are several unprivileged
> >> containers.  All containers and the host are on the same subnet, shared
> via
> >> bridge interface br0.
> >>
> >> If container A (IP address 192.168.1.4) is listening on port 80, can I
> put
> >> an iptables rule in place on the LXC host machine, that would prevent
> >> container B (IP address 192.168.1.5) from having access to container A
> on
> >> port 80?
> >>
> >> I've tried this set of rules on the LXC host, but they don't work:
> >>
> >> iptables -P INPUT DROP
> >> iptables -P FORWARD DROP
> >> iptables -P OUTPUT ACCEPT
> >> iptables -A FORWARD -j DROP -s 192.168.1.5 -d 192.168.1.4
> >>
> >> Container B still has access to container A's port 80.
> >
> >
> > That's how generic bridges work.
> >
> > Some possible ways to achieve what you want:
> > - don't use bridge. Use routed method. IIRC this is possible in lxc,
> > but not easy in lxd.
> > - create separate bridges for each container, e.g with /30 subnet
> > - use 'external' bridge managed by openvswitch, with additional
> > configuration (on openvswitch side) to enforce the rule. IIRC there
> > were examples on this list to do that (try searching the archives)
>
> you could also use the --physdev-in / --physdev-out extension of
> iptables to address the devices of the containers directly. Of course
> you have to fix the device name of the network devices with
> lxc.network.veth.pair. Problem could be that according to manpage
> lxc.container.conf this seems not possible for unprivileged containers.
> For this reason probably also the routed method could hve it's
> difficulties.
>
> Regards
> Jan
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180303/854ecc8e/attachment.html>


More information about the lxc-users mailing list