Complete network isolation

celadon · March 21, 2020, 12:27pm

Hello there,

I was wondering how I could create a completely isolated network with LXD. By completely isolated I mean :

no containers should be able to see and interact with the LXD Host.
containers should still be able to communicate with each other.

My main goal is to keep gui apps into a “network quarantine” incase one of them would get infected by a malware or something. I also understand the difference between virtualization and containerization in terms of security. It just looks like a good middle-of-the-road choice between performances and security.

Here’s an overview of what I wanna setup :

                  +----------+
                  |          |
                  | local network, internet,
                  | and everything
                  |          |
                  +----+-----+
                       |
            +----------+---------+
            |                    |
            |       NETWORK      |
            |       lxdbr0       |
            |      nat, dhcp and dns enabled
            +---------+----------+
                      |
                      |
                      |
                +-----+------+
                |            |
                |  CONTAINER |
                |  tor-proxy |
                |  just a socks proxy running tor as a client.
                +-----+------+
                      |
                      |
                      |
           +----------+----------+
           |                     |
           |     NETWORK         |
           |     lxdbr-ISOLATED  |
           |     nat, dhcp and dns disabled.
           |     no access to the main lxd HOST
           +----------+----------+
                      |
      +--------------------------------------------+
      |               |                            |
+-----+------+      +-+----------+          +------+------+
|            |      |            |          |             |
|  CONTAINER |      |  CONTAINER |          |  CONTAINER  |
|  firefox-ISOLATED |  konversation-ISOLATED|  kmail-ISOLATED
|            |      |            |          |             |
|            |      |            |          |             |
+------------+      +------------+          +-------------+

It means setting up a network in such way :

assigning it to a new profile and make sure the default network has been removed from it
disabling ipv4/ipv6 nat and dhcp. also setting the dns.mode to none
some sort of ipv4/ipv6 firewall configuration. I dont know how it works cause the ipv4.firewall key seems poorly documented. All I know is that there is some kind of automatic firewall rules creation process.

So my final question is : is there anything I missed while planning my config ? any terrible mistake that could compromise my host ?

And also what is this ipv4.firewall config key?

celadon · March 22, 2020, 11:14am

Okay thanks to @malina from freenode for providing me insights about macvlan and this full network isolation between the host and the containers.

I wrote a small procedure. Dont know if it is comprehensive enough and if it covers all cases.

create a new interface.
lxc network create lxdbr-ISOLATED ipv4.nat=false ipv6.nat=false ipv4.dhcp=false ipv6.dhcp= false dns.mode=none
create a new profile
lxc profile copy default ISOLATION
remove the default network interface
lxc profile device remove ISOLATION eth0
set it as a macvlan so that you get better perf and get a complete isolation from your host
lxc profile device set ISOLATION lxdbr-ISOLATED nictype macvlan

The new macvlan LXD containers (that got a LAN IP address) can only see their own traffic and also any LAN broadcast packets. They cannot see the traffic meant for the host, nor the traffic for the other containers.

assign this network to your gateway container
lxc network attach lxdbr-ISOLATED tor-proxy network-lxdbr-ISOLATED lxdbr-ISOLATED
assign this network to your ISOLATION profile
lxc network attach-profile lxdbr-ISOLATED ISOLATION
assign this profile to your new isolated containers
lxc profile assign firefox-ISOLATED ISOLATION

Still kinda wish I knew what’s this ipv4.firewall was about.

tomp · March 23, 2020, 11:11am

The ipv4.firewall network setting indicates to LXD whether it should create firewall rules to allow container’s access to LXD started services on the host (DHCP and DNS) and whether the ipv4.routing setting is respected.

simos · March 23, 2020, 11:19am

I would expect to use complete network isolation for a container that has no network interfaces (apart from loopback). You can do that in LXD by just omitting to configure a network device in the profile.