[lxc-users] network isolation / per-container network

Lukas Pirl mail at lukas-pirl.de
Thu May 31 09:21:51 UTC 2018


tl;dr: How to block traffic between containers? A bridge & subnet each?

Dear all.

I have a host which masquerades all packages to/from containers, since
I am restricted to one external IP address.

Currently, the containers share a subnet and can hence communicate with
each other. They have a veth each and share a bridge on the host side.

However, I want to fully control the traffic from/to/between the
containers from the host (i.e., iptables/netfilter).

Would having a subnet and a bridge on the host side per container be
the most "elegant" way to gain full control over the traffic between
containers? It feels a bit cumbersome/overkill.

Thanks in advance,

Lukas

(Please CC me directly, since I am not subscribed to lxc-users)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180531/ea2ac263/attachment-0001.sig>


More information about the lxc-users mailing list