[lxc-users] how to forbid cross-network traffic?
Tomasz Chmielewski
mangoo at wpkg.org
Tue Feb 11 01:59:27 UTC 2020
On 2020-02-11 05:32, Andrey Repin wrote:
>> Containers in these two networks have IP address assigned from DHCP
>> and
>> can connect out to the world - this is what I want.
>
>> Unfortunately, containers from one network (staging) can also connect
>> to
>> containers from the other network (testing) - which is not what I
>> want.
>
> So, fix it? iptables to your rescue. (E.g.: this is not an LXD
> problem.)
IMO it's LXD configuration nuance. And a problem. See below.
>> Is there any mechanism in LXD to prevent it? Or do I have to add my
>> own,
>> custom iptables rules?
>
> You have enabled packet forwarding on the host, but not specified any
> restrictions. Indeed, everything is forwarded where possible.
That's why I'm asking if there is any mechanism in LXD to prevent such
traffic.
LXD adds a lot of its own iptables rules.
I can add my own, of course, but in my opinion, it's not a very clear
solution:
- if one uses iptables-persistent, these rules will kind of conflict
with the ones set by LXD and in case of reload, will even clear iptables
rules set by LXD; there are issues with rule saving and so on
- I can set my own rules via other mechanisms, i.e. in /etc/rc.local on
server startup - but then again, there is no reload/change mechanism
Tomasz Chmielewski
https://lxadm.com
More information about the lxc-users
mailing list