Using LXD lxdbr0 bridge with default settings, all containers receive a private IP upon creation.
Containers can then:
access the internet
access the host
publish applications over the internet, with a litlle bit of iptables tweaking
Default iptables rules run by lxd-net seem to authorize access by default and we do not want that.
Is there a way to keep using lxdbr0 but prevent connections FROM the containers TO the host, while still allowing containers to
You should be able to use normal iptables on top of lxdbr0 to restrict things the way you want.
If need be, you can set the “ipv4.firewall” config key to “false” so that LXD doesn’t generate iptables entries for you, letting you fully control your firewall rules.
That’s assuming you’re not running LXD 2.0.x, if on 2.0.x, then the lxdbr0 bridge isn’t actually managed by LXD but by the packaging scripts. I believe there are some configuration keys to turn off the default iptables rules there too but it’s been a long time since I read through that.
Running “lxc network set lxdbr0 ipv4.firewall false” does not prevent LXD from reloading default iptables rules at reboot. Am I doing something wrong or is there a problem with the behavior of the ipv4.firewall key?
Below is an extract of “iptables-save” upon LXD startup.