[lxc-users] how to forbid cross-network traffic?
Mike Wright
nobody at nospam.hostisimo.com
Mon Feb 10 18:52:29 UTC 2020
On 2/10/20 9:41 AM, Tomasz Chmielewski wrote:
> I have these two networks:
>
> # lxc network show br-staging
> config:
> ipv4.address: 10.100.0.1/24
> ipv4.dhcp.ranges: 10.100.0.50-10.100.0.254
> ipv4.firewall: "true"
> ipv4.nat: "true"
> description: staging network
> name: br-staging
> type: bridge
>
> # lxc network show br-testing
> config:
> ipv4.address: 10.200.0.1/24
> ipv4.dhcp.ranges: 10.200.0.50-10.200.0.254
> ipv4.firewall: "true"
> ipv4.nat: "true"
> description: testing network
> name: br-testing
> type: bridge
>
>
> Containers in these two networks have IP address assigned from DHCP and
> can connect out to the world - this is what I want.
>
> Unfortunately, containers from one network (staging) can also connect to
> containers from the other network (testing) - which is not what I want.
>
> Is there any mechanism in LXD to prevent it? Or do I have to add my own,
> custom iptables rules?
Hi Tomasz,
Staging and testing are on separate /24 subnets that normally shouldn't
talk to each other. Is it possible that they're talking to each other
via the nat side?
Have you looked into macvlan? It has some interesting restrictions on
traffic that you might be able to take advantage of. I haven't played
with that nic type yet so I can't be of specific help.
https://lxd.readthedocs.io/en/latest/instances/#nictype-macvlan shows
the config settings but search within that page and there are
descriptions of its properties.
Mike Wright
More information about the lxc-users
mailing list