I have a single incus host server (not clustered). I want to be able to isolate instances (from a networking perspective) to only communicate with containers in the same project and still be able to communicate with the outside world. My assumption is that you can create a bridged network per project; however, I do not know the best way to prevent communication between network bridges.
This instance will most likely have 10+ projects. If the host firewall needs to control communication, the networking commands need to grow linearly with each new project created (said another way, I do not want to prevent traffic with every other existing bridged network).
I also believe that incus firewall management can interfere with any iptable rules that I create (and visa versa).
Here is an example that seems to work. Is this a safe and complete solution assuming all bridge names begin with: incusbr (where using + as a wildcard)
#allow for exceptions
sudo iptables -A FORWARD -i incusbr4 -o incusbr8 -j ACCEPT
I know that you can create complete isolation using the following; however, I believe this leaves me using a tailscale type solution to support networking. Is this correct?
security.ipv4_filtering=true (prevents IPv4 spoofing)
security.ipv6_filtering=true (prevents IPv6 spoofing)
security.mac_filtering=true (prevents MAC spoofing)
security.port_isolation=true (prevents container to container traffic)
You should be able to create an ACL and assign it to your bridge within Incus, youâd like put reject rules for the usual RFC1918 space so your instances can access the public internet but not anything private.
Hi @stgraber , thank you for your quick reply! I would like a little more help if you are willing⊠Here are my thoughts:
I have searched the entire internet, and I cannot find a single example of an âincus network acl rule add âŠâ command so that I can see what the [propertiesâŠ] might look like and what my options are.
If I understood you correctly, I would need to specify (or programmatically find) the subnet IP space for both v4 and v6 for the newly created bridge so that I could create the appropriate acl deny statements.
Would you kindly create example âacl create âŠâ and âacl add âŠâ statements so that I may better understand your recommendation? I am happy to sponsor your efforts.
Letâs assume a newly created incus instance with incusbr0.
Letâs assume I created a new bridge network using: incus network create incusbr1
The following is what was created: incus network show incusbr1