Restrict lxc access only to assigned ip


Renowned Member
Nov 7, 2015

how is it possible to configure via the internal proxmox firewall, that every lxc container can use only the ip address which is assigned to it?
For example i assign ip to vm100, then vm100 can use e.g. ip through editing the /etc/network/interfaces file.

Currently i have no firewall hardware / mac filtering switch.

I hope you can help me. Thanks for your answer!

This is my /etc/network/interfaces file on the host (i am using a PA assigned /24 subnet):
auto lo
iface lo inet loopback

auto eno1
iface eno1 inet manual
iface eno2 inet manual

auto vmbr0
iface vmbr0 inet static
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
There's no way that I know off to restrict IP's to interfaces, interfaces can assign themselves arbitrary valid IP addresses, unless it's possible to deny them through AppArmor or similar. Alternatively, PVE-FIREWALL might help here.
as pointed out it is not possible to restrict the IP address the CT/VM can assign to it's interfaces.
But what you can do is only allow incomming traffic with the resticted IP (e.g. as destination and outgoing traffic with the restricted IP as source and dropping all the rest.
You can easily define such rules for the CT via the GUI.
Thanks for your answers!

Is it possible to make a system-wide firewall rule for that, so i don't need to make firewall rules for each vm?


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!