Complete network isolation

Hello there,

I was wondering how I could create a completely isolated network with LXD. By completely isolated I mean :

  • no containers should be able to see and interact with the LXD Host.
  • containers should still be able to communicate with each other.

My main goal is to keep gui apps into a “network quarantine” incase one of them would get infected by a malware or something. I also understand the difference between virtualization and containerization in terms of security. It just looks like a good middle-of-the-road choice between performances and security.

Here’s an overview of what I wanna setup :

                  |          |
                  | local network, internet,
                  | and everything
                  |          |
            |                    |
            |       NETWORK      |
            |       lxdbr0       |
            |      nat, dhcp and dns enabled
                |            |
                |  CONTAINER |
                |  tor-proxy |
                |  just a socks proxy running tor as a client.
           |                     |
           |     NETWORK         |
           |     lxdbr-ISOLATED  |
           |     nat, dhcp and dns disabled.
           |     no access to the main lxd HOST
      |               |                            |
+-----+------+      +-+----------+          +------+------+
|            |      |            |          |             |
|  CONTAINER |      |  CONTAINER |          |  CONTAINER  |
|  firefox-ISOLATED |  konversation-ISOLATED|  kmail-ISOLATED
|            |      |            |          |             |
|            |      |            |          |             |
+------------+      +------------+          +-------------+

It means setting up a network in such way :

  • assigning it to a new profile and make sure the default network has been removed from it
  • disabling ipv4/ipv6 nat and dhcp. also setting the dns.mode to none
  • some sort of ipv4/ipv6 firewall configuration. I dont know how it works cause the ipv4.firewall key seems poorly documented. All I know is that there is some kind of automatic firewall rules creation process.

So my final question is : is there anything I missed while planning my config ? any terrible mistake that could compromise my host ?

And also what is this ipv4.firewall config key?

Okay thanks to @malina from freenode for providing me insights about macvlan and this full network isolation between the host and the containers.

I wrote a small procedure. Dont know if it is comprehensive enough and if it covers all cases.

  1. create a new interface.
    lxc network create lxdbr-ISOLATED ipv4.nat=false ipv6.nat=false ipv4.dhcp=false ipv6.dhcp= false dns.mode=none

  2. create a new profile
    lxc profile copy default ISOLATION

  3. remove the default network interface
    lxc profile device remove ISOLATION eth0

  4. set it as a macvlan so that you get better perf and get a complete isolation from your host
    lxc profile device set ISOLATION lxdbr-ISOLATED nictype macvlan

The new macvlan LXD containers (that got a LAN IP address) can only see their own traffic and also any LAN broadcast packets. They cannot see the traffic meant for the host, nor the traffic for the other containers.

  1. assign this network to your gateway container
    lxc network attach lxdbr-ISOLATED tor-proxy network-lxdbr-ISOLATED lxdbr-ISOLATED

  2. assign this network to your ISOLATION profile
    lxc network attach-profile lxdbr-ISOLATED ISOLATION

  3. assign this profile to your new isolated containers
    lxc profile assign firefox-ISOLATED ISOLATION

Still kinda wish I knew what’s this ipv4.firewall was about.

The ipv4.firewall network setting indicates to LXD whether it should create firewall rules to allow container’s access to LXD started services on the host (DHCP and DNS) and whether the ipv4.routing setting is respected.

1 Like

I would expect to use complete network isolation for a container that has no network interfaces (apart from loopback). You can do that in LXD by just omitting to configure a network device in the profile.