Hello folks,
I have my lab with about 70 docker containers running and I would like to prevent them from being able to have WAN access.
My current idea: Using MACVLAN attached them to a vlan being hosted from my firewall and setup the appropriate rules to prevent this vlan from accessing the internet.
Anyone have another idea ?
Hi, segmentation is a great idea, especially for this much containers.
Depending on what else is running on the system, instead of MACVLAN, you can assign them a private network namespace via systemd or move any WAN access device into a dedicated network namespace where you only move other WAN access related programs into.
Search engine found me this which looks promising close to what I would look into when wanting to do something like this.
Jason has put a great example on the WireGuard project homepage about
move interfaces that connect to the Internet […] to a (dedicated) namespace
It can be implemented without WireGuard, as its basically talking about how Linux networking can be leveraged to isolate network layers.
Having the firewall configured as an additional safeguard definitely won’t hurt.
I run DHCP in a container and use the macvlan driver. It’d work, the config is not pretty.
But then, it’d be crazy mind boggling to not be able to do what you describe with just the bridge driver, … and yet I’m not sure.
Have you tried toggling internal on the bridge network?
Alternatively, I’m thinking you could still firewall the bridge on the host and have it drop traffic.