[lxc-users] how to forbid cross-network traffic?

Andrey Repin anrdaemon at yandex.ru
Mon Feb 10 20:32:52 UTC 2020


Greetings, Tomasz Chmielewski!

> I have these two networks:

> # lxc network show br-staging
> config:
>    ipv4.address: 10.100.0.1/24
>    ipv4.dhcp.ranges: 10.100.0.50-10.100.0.254
>    ipv4.firewall: "true"
>    ipv4.nat: "true"
> description: staging network
> name: br-staging
> type: bridge

> # lxc network show br-testing
> config:
>    ipv4.address: 10.200.0.1/24
>    ipv4.dhcp.ranges: 10.200.0.50-10.200.0.254
>    ipv4.firewall: "true"
>    ipv4.nat: "true"
> description: testing network
> name: br-testing
> type: bridge


> Containers in these two networks have IP address assigned from DHCP and 
> can connect out to the world - this is what I want.

> Unfortunately, containers from one network (staging) can also connect to 
> containers from the other network (testing) - which is not what I want.

So, fix it? iptables to your rescue. (E.g.: this is not an LXD problem.)

> Is there any mechanism in LXD to prevent it? Or do I have to add my own, 
> custom iptables rules?

You have enabled packet forwarding on the host, but not specified any
restrictions. Indeed, everything is forwarded where possible.


-- 
With best regards,
Andrey Repin
Monday, February 10, 2020 23:31:02

Sorry for my terrible english...



More information about the lxc-users mailing list