Question about using --internal network

[cypherbits]

Hello, in the past I used Docker to make Onion Services with this network isolation design, but I created this isolated network with the docker command "--internal" to prevent connections to the Internet.

What is the difference between using --internal or using -o "com.docker.network.bridge.enable_ip_masquerade=false"

[moba]

My (limited) understanding is that "--internal" isolates the container completely, i.e. no connections to other containers will work either, which would not allow connectivity to the onionize container? Disabling masquerading seems to be a hack to allow connections to the other containers on the same (local) Docker network ("faraday" in the example) but not to the Internet.

This was proposed by the original "onionboat" author @jheretic, of which this is an updated fork. Potentially there are better ways to achieve this?

Maybe someone else has something constructive to add, so I will leave the ticket open for now. I did not test this much myself.

[cypherbits]

If you try to create an internal network for no internet access, if you join containers on that network they can communicate knowing each other IPs, at least for me it is working.

Should we ask Docker people?

[moba]

I looked a bit at the Docker documentation, and I think now --internal may well be the cleaner way to approach this. I don't have the time to play with it more at the moment, but if it works in your tests, and still isolates the containers well, I would rework the documentation to not rely on the de-masquerade hack.

Maybe we can get confirmation by someone else, yes.