I have a docker-compose project, let's say Users and Resources. I want containers in Users to connect to containers in Resource but, containers in Users should not communicate with each other. Each container in Users is an ssh server so I need to publish each ssh port to the host network to allow access from the Internet.
I have tried with macvlan but maybe there is some additional setup I have to do on the host iptables that I am not aware of.
How can I achieve this with docker/docker-compose ? Is there a better approach to the problem than using two docker-compose projects?
Docker doesn't allow the setup you describe. For two containers to connect to each other, they must be on the same network, so each of the "users" containers must be on the same network as the "resource" container. But, if two containers are on the same network, they can communicate with each other. So since all of the "users" containers need to be on the same network, they can all intrinsically communicate with each other.
One technically possible but hacky answer is to not use Docker networking but instead communicate via the host system. Again, though, this won't solve your problem, since using this same technique any of the "users" containers could connect to another of the "users" containers' published ports.
More generally, it's hard to manage "a container per user", both operationally and for scaling purposes. If you can set up a single externally accessible container that all of your users can use, it will only have a single published port, and the networking setup becomes much clearer.