[lxc-users] LXC container isolation with iptables?

Marat Khalili mkh at rqc.ru
Sun Mar 4 10:27:14 UTC 2018


On 04/03/18 02:26, Steven Spencer wrote:
> Honestly, unless I'm spinning up a container on my local desktop, I 
> always use the routed method. Because our organization always thinks 
> of a container as a separate machine, it makes the build pretty 
> similar whether the machine is on the LAN or WAN side of the network. 
> It does, of course, require that each container run its own firewall, 
> but that's what we would do with any machine on our network.
>
Can you please elaborate on your setup?It always seemed like 
administrative hassle to me. Outside routers need to known how to find 
your container. I can see three ways, each has it's drawbacks:

1. Broadcast container MACs outside, but L3-route packets inside the 
server instead of L2-bridging. Seems clean but I don't know how to do it 
in [bare] Linux.

2. Create completely virtual LAN (not in 802.1q sense) with separate IP 
address space inside the server and teach outside routers to route 
corresponding addresses via your server. OKish as long as you have 
access to the outside router configuration, but some things like 
broadcasts won't work. Also, I'm not sure it solves OP inter-container 
isolation problem.

3. Create separate routing table rule for each container/group of them. 
Hard to administer and dangerous IMO.

--

With Best Regards,
Marat Khalili

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180304/7dcee011/attachment.html>


More information about the lxc-users mailing list