How can I logically separate interfaces on a host?

0

Problem Introduction

I have a network topology which looks like the below diagram. All hosts are running different Linux distributions, and all my configuration should (hopefully) be done on Host A, which is RHEL7.

Network Topology Graph

with this routing table:

Destination     Gateway         Genmask         Flags Metric Ref    Use 

Iface
default         fw.gatename.    0.0.0.0         UG    100    0        0 enp34s0
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 enp9s0
10.0.1.2        0.0.0.0         255.255.255.255 UH    0      0        0 bridge1
10.12.0.0       0.0.0.0         255.255.255.0   U     100    0        0 enp2s0f1
10.14.0.0       0.0.0.0         255.255.255.0   U     100    0        0 enp2s0f0
10.17.0.0       0.0.0.0         255.255.255.0   U     100    0        0 enp7s0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.2      0.0.0.0         255.255.255.255 UH    0      0        0 bridge2
172.18.0.3      0.0.0.0         255.255.255.255 UH    0      0        0 bridge0
172.18.0.4      0.0.0.0         255.255.255.255 UH    0      0        0 bridge1
192.168.3.0     0.0.0.0         255.255.255.0   U     100    0        0 enp34s0
192.168.30.0    0.0.0.0         255.255.255.0   U     0      0        0 enp35s0
192.168.30.91   0.0.0.0         255.255.255.255 UH    0      0        0 bridge2
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

My main goal is to have each physical interface of Host A map to a Docker container, so that traffic can flow freely only between both ends of this mapping (and no traffic to or from interfaces outside this mapping).

For example, Container1 should be able to (only) communicate with Host B (along the red links of the diagram), and Container2 should be able to (only) communicate with Host C (along the green links of the diagram).

An initial attempt

By default, docker creates a bridge br-97707d67f97c (for example), which I've removed (because it connects all containers to each other). I created the three bridges (bridge0, bridge1, bridge2), because I thought there might be some hope for some way to make the bridge 'private'.

As it stands right now, I can ping from any container to any interface on Host A, B, or C; I can't ping from one container to another, which I assume is due to them being on the same subnet and confusing the bridge.

Question

How can I logically separate interfaces on a host so that they can only interact with only the interface(s) I want them to?

karobar

Posted 2016-06-14T17:40:45.460

Reputation: 175

Answers

0

I was able to resolve this error by starting from scratch, then separating my interfaces by subnet.

To use the the diagram in my question as an example, I changed the IP address for Container2 to be within the 10.0.0.0/24 subnet, so 10.0.1.100, for example. I changed the address for Container1 to be on the 192.168.30/24 subnet.

I also removed the IP addresses from enp35s0 and enp9s0, because I considered that these were unnecessary, as the bridges in my example should only operate on OSI Layer 2.

karobar

Posted 2016-06-14T17:40:45.460

Reputation: 175

Asked: 2016-06-14T17:40:45.460

Viewed: 144 times

Active: 2016-06-20T19:21:32.970