[lxc-users] how to forbid cross-network traffic?

Tomasz Chmielewski mangoo at wpkg.org
Tue Feb 11 01:59:27 UTC 2020


On 2020-02-11 05:32, Andrey Repin wrote:

>> Containers in these two networks have IP address assigned from DHCP 
>> and
>> can connect out to the world - this is what I want.
> 
>> Unfortunately, containers from one network (staging) can also connect 
>> to
>> containers from the other network (testing) - which is not what I 
>> want.
> 
> So, fix it? iptables to your rescue. (E.g.: this is not an LXD 
> problem.)

IMO it's LXD configuration nuance. And a problem. See below.


>> Is there any mechanism in LXD to prevent it? Or do I have to add my 
>> own,
>> custom iptables rules?
> 
> You have enabled packet forwarding on the host, but not specified any
> restrictions. Indeed, everything is forwarded where possible.

That's why I'm asking if there is any mechanism in LXD to prevent such 
traffic.

LXD adds a lot of its own iptables rules.
I can add my own, of course, but in my opinion, it's not a very clear 
solution:

- if one uses iptables-persistent, these rules will kind of conflict 
with the ones set by LXD and in case of reload, will even clear iptables 
rules set by LXD; there are issues with rule saving and so on

- I can set my own rules via other mechanisms, i.e. in /etc/rc.local on 
server startup - but then again, there is no reload/change mechanism


Tomasz Chmielewski
https://lxadm.com


More information about the lxc-users mailing list