Hi,
how can I stop traffic from being forwarded between lxd managed interfaces? I could not find any relevant options for this on the docs.
Hi, please can you elaborate a bit on what your setup is and what you are trying to change?
Thanks
I have two bridges managed by LXD (lxdbr0 and lxdbr1) and would like for these to be isolated from each other, while still being able to reach internet through the NATed IP. I have only one interface.
Right now there is nothing preventing a container in one bridge from reaching another.
I see. You can add firewall rules to your system to block traffic between those interfaces.
Alternatively you should be able to use the ACL feature to add the firewall rules from the LXD system itself, see:
I had a quick go at this:
Two LXD managed bridge networks; lxdbr0 and lxdbr1:
lxc network show lxdbr0
config:
ipv4.address: 10.64.199.1/24
ipv4.nat: "true"
ipv6.address: fd42:bafd:ac21:9f::1/64
ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
lxc network show lxdbr1
config:
ipv4.address: 10.174.226.1/24
ipv4.nat: "true"
ipv6.address: fd42:97ce:87b9:1a79::1/64
ipv6.nat: "true"
description: ""
name: lxdbr1
type: bridge
Create two ACLs lxdbr0-deny and lxdbr1-deny1 as follows:
lxc network acl create lxdbr0-deny
lxc network acl rule add lxdbr0-deny ingress \
source=10.64.199.0/24 \
action=reject
lxc network acl rule add lxdbr0-deny egress \
destination=10.64.199.0/24 \
action=reject
lxc network acl create lxdbr1-deny
lxc network acl rule add lxdbr1-deny ingress \
source=10.174.226.0/24 \
action=reject
lxc network acl rule add lxdbr1-deny egress \
destination=10.174.226.0/24 \
action=reject
Now apply those to the respective networks and set the default policy:
lxc network set lxdbr0 \
security.acls.default.egress.action=allow \
security.acls.default.ingress.action=allow \
security.acls=lxdbr1-deny
lxc network set lxdbr1 \
security.acls.default.egress.action=allow \
security.acls.default.ingress.action=allow \
security.acls=lxdbr0-deny
Now launch a container in each network:
lxc launch images:alpine/3.16 clxdbr0 -n lxdbr0
lxc launch images:alpine/3.16 clxdbr1 -n lxdbr0
lxc ls
+---------+---------+----------------------+-----------------------------------------------+-----------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+----------------------+-----------------------------------------------+-----------------+-----------+
| clxdbr0 | RUNNING | 10.64.199.27 (eth0) | fd42:bafd:ac21:9f:216:3eff:feaa:dcb6 (eth0) | CONTAINER | 0 |
+---------+---------+----------------------+-----------------------------------------------+-----------------+-----------+
| clxdbr1 | RUNNING | 10.174.226.14 (eth0) | fd42:97ce:87b9:1a79:216:3eff:fe56:3adc (eth0) | CONTAINER | 0 |
+---------+---------+----------------------+-----------------------------------------------+-----------------+-----------+
Check IPv4 traffic is blocked between instances (remember to do same for IPv6 if using it), but external traffic is allowed:
lxc exec clxdbr0 -- ping -c1 -W1 10.174.226.14
PING 10.174.226.14 (10.174.226.14): 56 data bytes
--- 10.174.226.14 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
lxc exec clxdbr0 -- ping -c1 -W1 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=120 time=18.415 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 18.415/18.415/18.415 ms
lxc exec clxdbr1 -- ping -c1 -W1 10.64.199.27
PING 10.64.199.27 (10.64.199.27): 56 data bytes
--- 10.64.199.27 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
lxc exec clxdbr1 -- ping -c1 -W1 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=120 time=16.192 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 16.192/16.192/16.192 ms
Thanks, this is exactly what I wanted. I missed completely this part about ACLs in the docs.
1 Like