We’ve a multi-container setup in mind and would like to see if you think this is possible. Schematically it looks like this:
Container 1 is an application which can be in network bridge mode with maybe some ports forwarded
Container 2 needs network in the host mode
Container 3 will be running ZeroTier to provide external access and it will have the task to control the firewall of the host.
The focus of this question is container 3 and its interaction with the host system. ZeroTier will create an additional network interface. All traffic is allowed to go over this network interface. We will be running this on a NUC which has both WiFi and Ethernet. What we want to do is restrict all inbound and outbound traffic on these two network interfaces to prevent any access to container 2 through these interfaces by using a firewall.
However we want to have something like a webserver running in container 3 which can be accessed through the WiFi and Ethernet and behind some password protected menu have the option to (temporarily) remove the firewall rules that block inbound and outbound traffic (basically to do onsite maintenance when no internet connection is provided and ZeroTier won’t work).
- Do you think this solution will work, do you see other solutions?
- Will we be able to set this up in Balena?
- Do we need to use iptables as I read in some other posts (it seems to very old?) as firewall rules?