Howto: Container network isolation

Ozymandias · March 9, 2021, 10:44am

Let me explain my network…

I have a control node and I have 32 worker nodes which connect to the control node via openVPN.
The work nodes either have a CAT6 or WIFI physical interfaces on a private network (192.168.0.255) with access to the internet via DHCP.

OpenVPN creates a tun0 interface and a 10.8.0.255 subnet and control allocates via DHCP an ip address in that range. DNS is also resolved via the control node. The default route is via the control node.

When I create containers I want them to be able to have internet access via control but I do not want them to have visibility of each other or the host or any other worker node on the 10.8.0.222 subnet.

The only think I’m struggling with is how to isolate the containers from each other…

Whats an effective way of allowing implementing isolation of the containers?

Thanks in advance…

tomp · March 9, 2021, 1:08pm

So you run openvpn inside each container, so each container has its own tun0 interface?

Ozymandias · March 9, 2021, 2:57pm

Hi Thomas, I run a single instance of openvpn on the physical node…

tomp · March 10, 2021, 8:50am

You could add a firewall rule using ebtables with or nftables that blocks traffic between switch ports on the bridge and only allows traffic to/from the host’s bridge port.

Ozymandias · March 10, 2021, 9:25am

Would you have an example of that?, Would that be br_filter by any chance?.

I’m more used to simple routing I just don’t seem to be able to get my head around the bridged routing

Ozymandias · March 10, 2021, 4:51pm

Well the following command seems todo what I need.

ebtables -A FORWARD --logical-in lxdbr0 -j DROP

I’m just unsure of how long it will last in terms of it getting reset by LXD.?

tomp · March 10, 2021, 5:52pm

LXD should not remove rules that it didn’t create.