[lxc-users] how to forbid cross-network traffic?

Tomasz Chmielewski mangoo at wpkg.org
Mon Feb 10 17:41:13 UTC 2020


I have these two networks:

# lxc network show br-staging
config:
   ipv4.address: 10.100.0.1/24
   ipv4.dhcp.ranges: 10.100.0.50-10.100.0.254
   ipv4.firewall: "true"
   ipv4.nat: "true"
description: staging network
name: br-staging
type: bridge

# lxc network show br-testing
config:
   ipv4.address: 10.200.0.1/24
   ipv4.dhcp.ranges: 10.200.0.50-10.200.0.254
   ipv4.firewall: "true"
   ipv4.nat: "true"
description: testing network
name: br-testing
type: bridge


Containers in these two networks have IP address assigned from DHCP and 
can connect out to the world - this is what I want.

Unfortunately, containers from one network (staging) can also connect to 
containers from the other network (testing) - which is not what I want.

Is there any mechanism in LXD to prevent it? Or do I have to add my own, 
custom iptables rules?


Tomasz Chmielewski


More information about the lxc-users mailing list