On 10/01/2017 10:59 AM, Tomasz Chmielewski wrote:
I would like to have several networks on the same host - so I've created
them with:
# lxc network create br-testing
# lxc network create br-staging
Then edited to match:
# lxc network show br-staging
config:
ipv4.address: 10.191.0.1/24
ipv4.dhcp.ranges: 10.191.0.50-10.191.0.254
ipv4.nat: "false"
# lxc network show br-testing
config:
ipv4.address: 10.190.0.1/24
ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254
ipv4.nat: "false"
The problem is I'd like these network to be separated - i.e. containers
using br-staging bridge should not be able to connect to br-testing
containers, and the other way around. Both networks should be able to
connect to hosts in the internet.
Is there any easy switch for that? So far, one thing which works is
write my own iptables rules, but that gets messy with more networks.
Is there any reason to keep them on the same subnet? How about: to the
host 10.191.0.0/23 (or larger), then the subnets: 10.191.0.0/24 and
10.191.1.0/24. Then iptables could easily block them from each other:
-s 10.191.0.0/24 -d 10.191.1.0/24 -j DROP and -s 10.191.1.0/24 -d
10.191.0.0/24 -d DROP.
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
