Best set-up for DMZ network on single host

Hello everyone!

I have just started experimenting with Docker on my home lab. Being the security tinfoil hat paranoid type that I am, I run two separate networks: internal and DMZ. The two networks do what they say on the tin. They exist as separate VLANs and they join at the main router-firewall, where there are appropriate rules governing traffic between the two and with the public internet. My docker host has a trunk directly to my switch, so I can see both VLANs as interfaces eth0.I and eth0.D.

I would like to have some containers act as “DMZ” containers, in other words they should host services that I will present on my DMZ network. The host itself should instead be in the internal network, and crucially, the containers that are on the DMZ network should have no access whatsoever to the host.

A quick session of googling took me to the macvlan driver, and so far I have set up those containers with it. They run fine and the network isolation is achieved. However, from a design standpoint, this feels wrong. Is there any better solution for my scenario? For example is it possible to set up a bridged network where my host has an IP address on eth0.D, but the host itself is completely inaccessible from that IP?

Thank you all!

1 Like

It sounds like you should be able to achieve it using policy routing and firewall rules. Policy routing is needed since you want to use different routes depending on the source interface or IP address. It’s implemented using multiple routing tables and ip rule in linux. Firewall rules are needed to isolate the containers from the host.

Another solution is to run docker in a LXD container which only has access to the DMZ network. Then you don’t depend on policy routing and firewall rules on the host.