[prev in list] [next in list] [prev in thread] [next in thread]
List: lxc-users
Subject: Re: [lxc-users] how to forbid cross-network traffic?
From: Tomasz Chmielewski <mangoo () wpkg ! org>
Date: 2020-02-11 1:59:27
Message-ID: 25d42e92d1ff608717719c387b05048e () wpkg ! org
[Download RAW message or body]
On 2020-02-11 05:32, Andrey Repin wrote:
>> Containers in these two networks have IP address assigned from DHCP
>> and
>> can connect out to the world - this is what I want.
>
>> Unfortunately, containers from one network (staging) can also connect
>> to
>> containers from the other network (testing) - which is not what I
>> want.
>
> So, fix it? iptables to your rescue. (E.g.: this is not an LXD
> problem.)
IMO it's LXD configuration nuance. And a problem. See below.
>> Is there any mechanism in LXD to prevent it? Or do I have to add my
>> own,
>> custom iptables rules?
>
> You have enabled packet forwarding on the host, but not specified any
> restrictions. Indeed, everything is forwarded where possible.
That's why I'm asking if there is any mechanism in LXD to prevent such
traffic.
LXD adds a lot of its own iptables rules.
I can add my own, of course, but in my opinion, it's not a very clear
solution:
- if one uses iptables-persistent, these rules will kind of conflict
with the ones set by LXD and in case of reload, will even clear iptables
rules set by LXD; there are issues with rule saving and so on
- I can set my own rules via other mechanisms, i.e. in /etc/rc.local on
server startup - but then again, there is no reload/change mechanism
Tomasz Chmielewski
https://lxadm.com
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic