Re: [lxc-users] preventing multiple networks to connect to each other?
I strongly agree with the multiple subnets proposal because you can more easily filter traffic that way. And you can have multiple bridges (and in turn profiles based on the default for each bridge) as well with different subnets and block comms that way across the nets. *Sent from my iPhone. Please excuse any typos, as they are likely to happen by accident.* > On Oct 1, 2017, at 14:25, Mike Wright wrote: > >> On 10/01/2017 10:59 AM, Tomasz Chmielewski wrote: >> I would like to have several networks on the same host - so I've created >> them with: >> # lxc network create br-testing >> # lxc network create br-staging >> Then edited to match: >> # lxc network show br-staging >> config: >> ipv4.address: 10.191.0.1/24 >> ipv4.dhcp.ranges: 10.191.0.50-10.191.0.254 >> ipv4.nat: "false" >> # lxc network show br-testing >> config: >> ipv4.address: 10.190.0.1/24 >> ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254 >> ipv4.nat: "false" >> The problem is I'd like these network to be separated - i.e. containers >> using br-staging bridge should not be able to connect to br-testing >> containers, and the other way around. Both networks should be able to >> connect to hosts in the internet. >> Is there any easy switch for that? So far, one thing which works is write my >> own iptables rules, but that gets messy with more networks. > > Is there any reason to keep them on the same subnet? How about: to the host > 10.191.0.0/23 (or larger), then the subnets: 10.191.0.0/24 and 10.191.1.0/24. > Then iptables could easily block them from each other: -s 10.191.0.0/24 -d > 10.191.1.0/24 -j DROP and -s 10.191.1.0/24 -d 10.191.0.0/24 -d DROP. > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] preventing multiple networks to connect to each other?
On 2017-10-02 03:25, Mike Wright wrote: On 10/01/2017 10:59 AM, Tomasz Chmielewski wrote: I would like to have several networks on the same host - so I've created them with: # lxc network create br-testing # lxc network create br-staging Then edited to match: # lxc network show br-staging config: ipv4.address: 10.191.0.1/24 ipv4.dhcp.ranges: 10.191.0.50-10.191.0.254 ipv4.nat: "false" # lxc network show br-testing config: ipv4.address: 10.190.0.1/24 ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254 ipv4.nat: "false" The problem is I'd like these network to be separated - i.e. containers using br-staging bridge should not be able to connect to br-testing containers, and the other way around. Both networks should be able to connect to hosts in the internet. Is there any easy switch for that? So far, one thing which works is write my own iptables rules, but that gets messy with more networks. Is there any reason to keep them on the same subnet? They are not the same subnets (one is 10.190.0.1/24, the other is 10.191.0.1/24). How about: to the host 10.191.0.0/23 (or larger), then the subnets: 10.191.0.0/24 and 10.191.1.0/24. Then iptables could easily block them from each other: -s 10.191.0.0/24 -d 10.191.1.0/24 -j DROP and -s 10.191.1.0/24 -d 10.191.0.0/24 -d DROP. Like this, it won't work, because LXD adds iptables rules which pass all kinds of traffic between the networks. Also, you can see how the number of combinations grow if the number of network grow. Also, filtering by IP will not be secure in some environments - i.e. if a user in a container adds an IP from a different network, the rules will no longer apply. So we need to filter on the interface. So I figured I need to set: config: ipv4.address: 10.190.0.1/24 ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254 ipv4.firewall: "false" # < important Then add firewall rules which allow internet connectivity, and prevent cross-bridge traffic. But would be cool if we were able to do it somehow in LXD network configuration. Tomasz Chmielewski https://lxadm.com ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] preventing multiple networks to connect to each other?
On 10/01/2017 10:59 AM, Tomasz Chmielewski wrote: I would like to have several networks on the same host - so I've created them with: # lxc network create br-testing # lxc network create br-staging Then edited to match: # lxc network show br-staging config: ipv4.address: 10.191.0.1/24 ipv4.dhcp.ranges: 10.191.0.50-10.191.0.254 ipv4.nat: "false" # lxc network show br-testing config: ipv4.address: 10.190.0.1/24 ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254 ipv4.nat: "false" The problem is I'd like these network to be separated - i.e. containers using br-staging bridge should not be able to connect to br-testing containers, and the other way around. Both networks should be able to connect to hosts in the internet. Is there any easy switch for that? So far, one thing which works is write my own iptables rules, but that gets messy with more networks. Is there any reason to keep them on the same subnet? How about: to the host 10.191.0.0/23 (or larger), then the subnets: 10.191.0.0/24 and 10.191.1.0/24. Then iptables could easily block them from each other: -s 10.191.0.0/24 -d 10.191.1.0/24 -j DROP and -s 10.191.1.0/24 -d 10.191.0.0/24 -d DROP. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] preventing multiple networks to connect to each other?
I would like to have several networks on the same host - so I've created them with: # lxc network create br-testing # lxc network create br-staging Then edited to match: # lxc network show br-staging config: ipv4.address: 10.191.0.1/24 ipv4.dhcp.ranges: 10.191.0.50-10.191.0.254 ipv4.nat: "false" # lxc network show br-testing config: ipv4.address: 10.190.0.1/24 ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254 ipv4.nat: "false" The problem is I'd like these network to be separated - i.e. containers using br-staging bridge should not be able to connect to br-testing containers, and the other way around. Both networks should be able to connect to hosts in the internet. Is there any easy switch for that? So far, one thing which works is write my own iptables rules, but that gets messy with more networks. Tomasz Chmielewski https://lxadm.com ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
