Isolating bridge subnet traffic

Swapping over the rules so that I placed two deny rules above the “allow all” rules seems to have blocked the traffic between the two containers on the different subnets! Strangely enough I can still ping the first IP from each subnet. Is this an intended feature?

Do you mean the IPs bound to the LXD host? If so then pinging those will fall under the INPUT chain rather than the FORWARD chain (as the packets are not being forwarded but are directed to arrive at the LXD host) and you must also update those rules as you need.

In the future you may also be interested in this feature:

This is now available in LXD 4.14 using the bridged NIC type’s security.port_isolation=true setting.

LXD 4.14 uses the Ubuntu Core 20.04 base image so the ip tool is updated to support it now.