0

I am trying to build a setup akin to a "Qubes OS Lite", but using Docker containers on Arch.

There will be several end-user applications running in Docker (with the help of https://subuser.org), and they will be routed through another appliance-like container which will run a VPN and a firewall (i.e. a setup akin to this: https://stackoverflow.com/questions/39913757/restrict-internet-access-docker-container).

My question is how do I completely disable internet access for the underlying Linux system, while keeping it so that the internet-facing Docker container can still access the internet?

Improve this question
4
  • 2
    I don't think such a thing is possible, since the docker containers are relying on the underlying OS to supply them with network (and hence internet) access. It might be helpful to specify why you want to do this so someone could respond with an alternative solution.
    – Turksarama
    Commented Jun 16, 2022 at 3:55
  • @Turksarama Thanks. There is no specific reason why... I just like the level of isolation that Qubes provides, but don't want to install Qubes or use VMs, and wanted to try a similar model but with Docker on my already-running systems. Just wanted to try setting up a more secure/hardened system. I guess one of the ways this could be accomplished is with an application-level firewall, but I was hoping there would be a more robust/easier way to do it.
    – Ruslan
    Commented Jun 16, 2022 at 3:59
  • Ultimately the purpose of Qubes to to disallow each VM from being able to infect each other. The docker "equivalent" would be to install and use applications only within docker containers and not use the overlying OS for anything other than running docker.
    – Turksarama
    Commented Jun 16, 2022 at 4:06
  • Yep, that's exactly the idea. The underlying OS would only run X11 and Docker.
    – Ruslan
    Commented Jun 16, 2022 at 4:09

1 Answer 1

Reset to default
1

Use a macvlan network for your appliance-like container, completely disable networking on the docker host (e.g., bring your external facing network interface down, remove its IP address(es), add firewall rules to block everything, etc.).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .