Not found anything to answer this on the site… I want to sandbox containers and they do there network access via OPENVPN (tun0) however I don’t want them to access the local network via the lxdbr0.
The hosts routing table has a 192.168.1.0/24 entry which allows the containers via lxdbr0 to access that entire subnet.
I’ve added a iptables entry which seems to do the job… #iptables -A FORWARD -i lxdbr0 -o eth0 -j DROP
Whats the consensus on this?, Is there another way to stop the containers from accessing anywhere other than tun0?
Currently that’s pretty much the way to go. We have upcoming work on security groups and firewalling support directly in LXD though this will mostly be about source/destination rules more than interface based ones like you’re doing here.
Iptables allow rules to be added that reference non-existent interfaces so you can add the rules on system start up and they will take effect once LXD starts.
If you’re finding that the rules LXD add are interfering with your ordering you can disable LXD’s firewall and add the rules you need manually.