I want to run one or more containers that shouldn’t be able to send or receive traffic to the WAN/Internet, but retain their ethernet interfaces and possibly their communication with other containers on the host.
Limitations I can work with for these restricted containers (that might make thing easier):
- Fixed IP and MAC per container
- No IPv6 stack in use
ipv4.firewalldisabled, hard coded iptables rules
I’m not sure whether I would tackle this on the LXD/Bridge side, or whether tweaking iptables/routing rules is the way to go. I also thought about having two separate IP ranges for online/offline containers that I can target with rules, but maybe that would complicate things further.
Any thoughts on this welcome.