[lxc-users] how to forbid cross-network traffic?

[Mike Wright]

On 2/10/20 9:41 AM, Tomasz Chmielewski wrote:
> I have these two networks:
> 
> # lxc network show br-staging
> config:
>    ipv4.address: 10.100.0.1/24
>    ipv4.dhcp.ranges: 10.100.0.50-10.100.0.254
>    ipv4.firewall: "true"
>    ipv4.nat: "true"
> description: staging network
> name: br-staging
> type: bridge
> 
> # lxc network show br-testing
> config:
>    ipv4.address: 10.200.0.1/24
>    ipv4.dhcp.ranges: 10.200.0.50-10.200.0.254
>    ipv4.firewall: "true"
>    ipv4.nat: "true"
> description: testing network
> name: br-testing
> type: bridge
> 
> 
> Containers in these two networks have IP address assigned from DHCP and 
> can connect out to the world - this is what I want.
> 
> Unfortunately, containers from one network (staging) can also connect to 
> containers from the other network (testing) - which is not what I want.
> 
> Is there any mechanism in LXD to prevent it? Or do I have to add my own, 
> custom iptables rules?

Hi Tomasz,

Staging and testing are on separate /24 subnets that normally shouldn't 
talk to each other.  Is it possible that they're talking to each other 
via the nat side?

Have you looked into macvlan?  It has some interesting restrictions on 
traffic that you might be able to take advantage of.  I haven't played 
with that nic type yet so I can't be of specific help.

https://lxd.readthedocs.io/en/latest/instances/#nictype-macvlan shows 
the config settings but search within that page and there are 
descriptions of its properties.

Mike Wright