Prevent internet access from container, allowing LAN only

Aloha,

I have a setup where one of my containers have been compromised, and I would like to quarantine it from accessing the internet, while still allowing local traffic needed to migrate application data to a new container. I believe there’s little risk that the compromised container infects other containers on the local network, I’ve cleaned whatever I was able to find, but I would rather take no chances of it initiating a reverse shell connection to a remote C2 which may be used to push other malicious payloads onto the affected container.

Is there a way to prevent a container from accessing the internet while keeping its local LAN traffic ?

All containers share a bridge on the host that is not managed by LXD/Incus and I have no prior knowledge of lxd networks. Ideally the solution would be applied from the host, either through iptables rules, bridge config or LXD network settings.

Thanks by advance~ !

If compromised, wouldn’t it be better to keep it disabled, and first vet the rest of your network, and then use another container, vm or remote machine to do forensics on the data from the compromised container without loading anything from it ? Surely it is possible to access the application data without the container being live. You could also disable network in the container and exec into it, no ?

The application in question (Nextcloud) was installed on the container root volume so I could not simply attach it to another container. However I was able to mount the ZFS volume on the host directly.

Regardless, the question remains as an interesting problem, I’ve already thought about that before for different use cases but never knew if it was possible.