Hi lxd community,
I am trying to use LXD to set up containers in an arrangement with 2 containers (c1 and c2) on a host (h0):
- h0 essentially acts as a router. It is connected to the internet on its enp1s0 interface and runs the nft firewall
- c1 and c2 have static 10.0.0.x ipv4 addresses and hosts file entries about each other (so DHCP and local DNS are not needed)
- c1 should be able to reach c2 on port 80 and receive responses to related/established connections.
- otherwise c1 and c2 cannot communicate with each other on L2 or L3.
- h0 should route incoming tcp/80 traffic from the internet to c2
- c1 and c2 can both reach the internet through h0 via NAT
h0, c1, and c2 are all running Debian 12.
I have been searching and tinkering for the past week without success. I have seen references to security.port_isolation, routed nics, multiple bridged networks with firewall rules, etc. I also admit the problem may be my lack of understanding which nft hooks control the traffic above (I am coming from a background of FreeBSD jails and pf).
Any suggestions are most welcome! Thank you!