Howto: Container network isolation

Let me explain my network…

I have a control node and I have 32 worker nodes which connect to the control node via openVPN.
The work nodes either have a CAT6 or WIFI physical interfaces on a private network ( with access to the internet via DHCP.

OpenVPN creates a tun0 interface and a subnet and control allocates via DHCP an ip address in that range. DNS is also resolved via the control node. The default route is via the control node.

When I create containers I want them to be able to have internet access via control but I do not want them to have visibility of each other or the host or any other worker node on the subnet.

The only think I’m struggling with is how to isolate the containers from each other…

Whats an effective way of allowing implementing isolation of the containers?

Thanks in advance…

So you run openvpn inside each container, so each container has its own tun0 interface?

Hi Thomas, I run a single instance of openvpn on the physical node…

You could add a firewall rule using ebtables with or nftables that blocks traffic between switch ports on the bridge and only allows traffic to/from the host’s bridge port.

Would you have an example of that?, Would that be br_filter by any chance?.

I’m more used to simple routing I just don’t seem to be able to get my head around the bridged routing :frowning:

Well the following command seems todo what I need.

ebtables -A FORWARD --logical-in lxdbr0 -j DROP

I’m just unsure of how long it will last in terms of it getting reset by LXD.?

LXD should not remove rules that it didn’t create.

1 Like