4

I have two groups of lxc contianers on a server and want to isolate their network traffic for security reasons. I will be using port forwarding so the containers much each have separate IP's. I know I must subnet both groups and intend to give each a /29 Cidr. I also assume I need to put each subnet on it's own vlan.

However I'm not sure how the Veth#, bridge, vlan and host NIC need to be arranged and what options there are if any?

Ideally I would like to confine the vlans to the server alone, so that the host nic receives the forwarded packets from the router/firewall untagged. They then get tagged and untagged as they pass from the host NIC through any bridges and vlans to the Veth#s on the containers.

In short I just want to isolate each subnet from the other whilst allowing packets to be forwarded from the router to any container on each of the subnets.
If there is a simpler way I'll be glad to hear it.

P.S I'm using Ubuntu server 12.04 with it's lxc network libraries. I have not installed libvirt separately.

Any information or suggestions greatly appreciated.

Rex
  • 7,895
  • 3
  • 29
  • 45
user108168
  • 141
  • 1
  • Ok, so after a lot more digging I'm thinking of abandoning vlans and simply using bridges combined with some iptables rules to isolate them. I'm not at all sure this is the best approach but it's difficult to find any documents on this specific topic. – user108168 Nov 23 '13 at 04:24
  • Please do not cross post on the various SE sites: http://unix.stackexchange.com/questions/102295/configuring-containers-veth-bridges-and-vlans-on-a-server-only – slm Nov 23 '13 at 08:49

1 Answers1

0

Try

lxc.net.0.veth.mode = router

instead of bridges, a bridge enables lxc containers so see each other but it sounds like you want the reverse.

If you set the lxc contaniers veth.mode to router, each lxc container must be in its own subnet and will have no access to other lxc without a specific route in the outer hosting Linux. If you do have routes, the outer Linux can have a firewall to control all the access to and between containers which cannot be done if they share the same bridge.

teknopaul
  • 639
  • 6
  • 4