[systemd-devel] nspawn: how to allow containers to connect to a specific host's port and prevent all the rest ?

[Fabien Meghazi]

Hello everyone,

I would like to constraint the network in the containers I spawn using
nspawn.
What I'd like to achieve is the following:

- prevent the containers to use the network interfaces of the host
- make one exception and allow the containers to connect (tcp) to a
specific port bound on the host's loopback device

The option --private-network allows me to achieve the first goal, once I
use this option the container is "network isolated".

Then, reading the man page, I though that using --port would allow the
container to connect to a host specific port so here's what I've been
trying so far:

On the host I run netcat so I can check connections on the guest:

    root at host # netcat -l -p 1234

>From the host, I can telnet to localhost 1234 without problem.
Then I run the container like this:

    root at host #  systemd-nspawn -M test --private-network --port 1234

But from the container I can't connect back to the host

    root at test # telnet localhost 1234
    Trying ::1...
    Trying 127.0.0.1...
    telnet: Unable to connect to remote host: Connection refused


So I guess I've been using the --port option in an inappropriate way
thinking it would map a host port to the container loopback interface.

I checked the other networking options but I could not find something
suitable for my use case.
Any idea about how I could allow the container to connect to a specific
port on the host but forbid all the rest ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20170307/986150a6/attachment.html>