Limit container WAN access while preserving bridge traffic between containers

I want to run one or more containers that shouldn’t be able to send or receive traffic to the WAN/Internet, but retain their ethernet interfaces and possibly their communication with other containers on the host.

Limitations I can work with for these restricted containers (that might make thing easier):

  • Fixed IP and MAC per container
  • No IPv6 stack in use

Bridge (global):

  • ipv4.firewall disabled, hard coded iptables rules

I’m not sure whether I would tackle this on the LXD/Bridge side, or whether tweaking iptables/routing rules is the way to go. I also thought about having two separate IP ranges for online/offline containers that I can target with rules, but maybe that would complicate things further.

Any thoughts on this welcome.

How about creating an additional lxd-managed bridge that is locally-scoped so any container on this bridge can talk to the rest of the bridge? adding external connectivity per-container would be as simple as attaching another interface profile that provides this.

That sounds good, I’ll give it a try tomorrow when I find the time and report back.