Multiple websites in Incus containers + LAN security

LRP · May 21, 2024, 7:52pm

My goal is to host several small Picolisp websites on-prem. I have fiber internet, a static IP, and domain names. And, I can port-forward through my Verizon FIOS router. My understanding is that the web servers should be isolated from the rest of my LAN.

Question:

Can I and, if so, how can I configure container network to securely isolate the rest of the LAN from exposure to the wild web without placing them in an external DMZ or VLAN?

I’ve studied LXD/Incus documentation; installed LXD (plan to replace
with Incus) and have worked through many tutorials. But, still, my ambitions exceed my know how.

Any and all tips welcomed.

Many thanks,

LRP

Question:

stgraber · May 21, 2024, 8:06pm

You can create a network ACL with incus network acl and then assign it to your network with incus network set NAME security.acls=ACLNAME so you can restrict exactly what your instances can connect to.

LRP · May 21, 2024, 9:05pm

Many thanks Stéphane.

Just looked at ACL docs. Looks complicated, but I’ll experiment.

All the best,

LRP

stgraber · May 22, 2024, 12:02am

It’s not particularly complicated, you can probably do something like:

incus network acl create default
incus network acl rule add default ingress action=allow state=enabled
incus network acl rule add default egress action=allow state=enabled
incus network acl rule add default egress action=reject destination=10.0.0.0/8 state=enabled
incus network acl rule add default egress action=reject destination=172.16.0.0/12 state=enabled
incus network acl rule add default egress action=reject destination=192.168.0.0/16 state=enabled
incus network set default security.acls=default

This would act like our normal networking except that instances will not be allowed access to any RFC1918 subnets (usual LAN subnets).