On Wed, Feb 28, 2018 at 12:21 AM, bkw - lxc-user <[email protected]> wrote: > I have an LXC host. On that host, there are several unprivileged > containers. All containers and the host are on the same subnet, shared via > bridge interface br0. > > If container A (IP address 192.168.1.4) is listening on port 80, can I put > an iptables rule in place on the LXC host machine, that would prevent > container B (IP address 192.168.1.5) from having access to container A on > port 80? > > I've tried this set of rules on the LXC host, but they don't work: > > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT > iptables -A FORWARD -j DROP -s 192.168.1.5 -d 192.168.1.4 > > Container B still has access to container A's port 80.
That's how generic bridges work. Some possible ways to achieve what you want: - don't use bridge. Use routed method. IIRC this is possible in lxc, but not easy in lxd. - create separate bridges for each container, e.g with /30 subnet - use 'external' bridge managed by openvswitch, with additional configuration (on openvswitch side) to enforce the rule. IIRC there were examples on this list to do that (try searching the archives) -- Fajar _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
