Greetings, Lukas Pirl! > tl;dr: How to block traffic between containers? A bridge & subnet each?
The relevantly TL;DR answer requires a bit more than your "TL;DR". > I have a host which masquerades all packages to/from containers, since > I am restricted to one external IP address. Where do you do masquerading? On the same host? On an external router? > Currently, the containers share a subnet and can hence communicate with > each other. That's not necessarily true. Neither it is necessarily bad. Please think twice before enforcing such policies in your system. > They have a veth each and share a bridge on the host side. > However, I want to fully control the traffic from/to/between the > containers from the host (i.e., iptables/netfilter). > Would having a subnet and a bridge on the host side per container be > the most "elegant" way to gain full control over the traffic between > containers? It feels a bit cumbersome/overkill. Any solution to your request would be cumbersome. ipip tunnels, ethernet level filtering, separate interfaces. > (Please CC me directly, since I am not subscribed to lxc-users) You can read archives, if you are so inclined to abstain from the conversation. Please reply to your own mails at least to maintain threading consistency. -- With best regards, Andrey Repin Wednesday, June 6, 2018 20:55:41 Sorry for my terrible english... _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
