[lxc-users] how to forbid cross-network traffic?
Andrey Repin
anrdaemon at yandex.ru
Mon Feb 10 20:32:52 UTC 2020
Greetings, Tomasz Chmielewski!
> I have these two networks:
> # lxc network show br-staging
> config:
> ipv4.address: 10.100.0.1/24
> ipv4.dhcp.ranges: 10.100.0.50-10.100.0.254
> ipv4.firewall: "true"
> ipv4.nat: "true"
> description: staging network
> name: br-staging
> type: bridge
> # lxc network show br-testing
> config:
> ipv4.address: 10.200.0.1/24
> ipv4.dhcp.ranges: 10.200.0.50-10.200.0.254
> ipv4.firewall: "true"
> ipv4.nat: "true"
> description: testing network
> name: br-testing
> type: bridge
> Containers in these two networks have IP address assigned from DHCP and
> can connect out to the world - this is what I want.
> Unfortunately, containers from one network (staging) can also connect to
> containers from the other network (testing) - which is not what I want.
So, fix it? iptables to your rescue. (E.g.: this is not an LXD problem.)
> Is there any mechanism in LXD to prevent it? Or do I have to add my own,
> custom iptables rules?
You have enabled packet forwarding on the host, but not specified any
restrictions. Indeed, everything is forwarded where possible.
--
With best regards,
Andrey Repin
Monday, February 10, 2020 23:31:02
Sorry for my terrible english...
More information about the lxc-users
mailing list