[lxc-users] LXC container isolation with iptables?
Marat Khalili
mkh at rqc.ru
Sun Mar 4 10:27:14 UTC 2018
On 04/03/18 02:26, Steven Spencer wrote:
> Honestly, unless I'm spinning up a container on my local desktop, I
> always use the routed method. Because our organization always thinks
> of a container as a separate machine, it makes the build pretty
> similar whether the machine is on the LAN or WAN side of the network.
> It does, of course, require that each container run its own firewall,
> but that's what we would do with any machine on our network.
>
Can you please elaborate on your setup?It always seemed like
administrative hassle to me. Outside routers need to known how to find
your container. I can see three ways, each has it's drawbacks:
1. Broadcast container MACs outside, but L3-route packets inside the
server instead of L2-bridging. Seems clean but I don't know how to do it
in [bare] Linux.
2. Create completely virtual LAN (not in 802.1q sense) with separate IP
address space inside the server and teach outside routers to route
corresponding addresses via your server. OKish as long as you have
access to the outside router configuration, but some things like
broadcasts won't work. Also, I'm not sure it solves OP inter-container
isolation problem.
3. Create separate routing table rule for each container/group of them.
Hard to administer and dangerous IMO.
--
With Best Regards,
Marat Khalili
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180304/7dcee011/attachment.html>
More information about the lxc-users
mailing list