<div dir="ltr">Which chains are used for container to container?</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 19, 2014 at 5:29 PM, Shidan <span dir="ltr"><<a href="mailto:shidan@gmail.com" target="_blank">shidan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">First I spoke to soon (by saying the problem is fixed with dnat for the output chain), now I can now ping the containers from the host and visa versa but not container to container using the containers external IP.<br><br>Regarding your method, if you have IP aliases for the external addresses for the containers, the mac address will not be the containers address but the hosts and will get filtered by a significant number of upstream switches depending on their configuration ... so in this case you will need to use something like ebtables and put your switch in promiscuous mode, which I can't do. I can't use macvlan either as I am running unprivileged containers and it seems to be me it's not a very tested feature either. <br><br>So now I have:<div><br> iptables -t nat -D POSTROUTING -s <internal_ip> ! -d <a href="http://10.0.3.0/24" target="_blank">10.0.3.0/24</a> -o eth0 -j SNAT --to-source <external_ip><br> iptables -t nat -D PREROUTING -d <external_ip> -i eth0 -j DNAT --to-destination <internal_ip><br> iptables -t nat -D OUTPUT -d <external_ip> -j DNAT --to-destination <internal_ip><div><br></div><div>What am I missing for container to container addressing using the external IPs?</div><div><br></div><div>-- Shidan Gouran<div><div class="h5"><br><br>On Fri, Sep 19, 2014 at 12:51 AM, Dave Pedu <<a href="mailto:lxc@davepedu.com" target="_blank">lxc@davepedu.com</a>> wrote:<br>><br>> Instead of using iptables, you can give a container an network interface (for a total of two).<br>><br>> On my system I have an ethernet bridge, br0, with the host's main interface on in. Then, in a container's config -<br>><br>> # primary, public interface 192.168.1.x from my router<br>> lxc.network.type = veth<br>> lxc.network.hwaddr = 00:16:3e:e1:92:a3<br>> lxc.network.link = br0<br>> lxc.network.flags = up<br>> <a href="http://lxc.network.name" target="_blank">lxc.network.name</a> = eth0<br>> lxc.network.veth.pair = vethplex0<br>><br>> # second, private interface 10.0.3.x<br>> lxc.network.type = veth<br>> lxc.network.hwaddr = 00:16:3e:e1:92:a4<br>> lxc.network.link = lxcbr0<br>> lxc.network.flags = up<br>> <a href="http://lxc.network.name" target="_blank">lxc.network.name</a> = eth1<br>> lxc.network.veth.pair = vethplex1<br>><br>><br>> On 2014-09-18 21:19, Shidan wrote:<br>>><br>>> Just figured it out a fix, I think. For containers to address each<br>>> other by both external and internal IPs, I set the DNAT rule on the<br>>> OUTPUT and PREROUTING chain, instead of just on the PREROUTING as<br>>> above. <br>>><br>>> On Thu, Sep 18, 2014 at 11:03 PM, Shidan <<a href="mailto:shidan@gmail.com" target="_blank">shidan@gmail.com</a>> wrote:<br>>><br>>>> I think the case of having a 1 to 1 assignment of external IPs to<br>>>> containers is an important use case to document somewhere. <br>>>><br>>>> On Thu, Sep 18, 2014 at 12:09 PM, Shidan <<a href="mailto:shidan@gmail.com" target="_blank">shidan@gmail.com</a>> wrote:<br>>>><br>>>>> Hello I have multiple external IP addresses and set up iptables so<br>>>>> that each container is assigned one external IP on the lxcbr0<br>>>>> NATed bridge in a 1 to 1 fashion similar to this example:<br>>>>><br>>>>> root@SERVER:/var/log# iptables -t nat -L<br>>>>> Chain PREROUTING (policy ACCEPT)<br>>>>> target prot opt source destination <br>>>>> <br>>>>> DNAT all -- anywhere <br>>>>> 188.227.224.138 to:10.0.3.2<br>>>>> DNAT all -- anywhere <br>>>>> 188.227.224.139 to:10.0.3.3<br>>>>><br>>>>> Chain INPUT (policy ACCEPT)<br>>>>> target prot opt source destination <br>>>>> <br>>>>><br>>>>> Chain OUTPUT (policy ACCEPT)<br>>>>> target prot opt source destination <br>>>>> <br>>>>><br>>>>> Chain POSTROUTING (policy ACCEPT)<br>>>>> target prot opt source destination <br>>>>> <br>>>>> SNAT all -- 10.0.3.2 !<a href="http://10.0.3.0/24" target="_blank">10.0.3.0/24</a><br>>>>> [1] to:188.227.224.138<br>>>>> SNAT all -- 10.0.3.3 !<a href="http://10.0.3.0/24" target="_blank">10.0.3.0/24</a><br>>>>> [1] to:188.227.224.139<br>>>>><br>>>>> Now when I try to access a container from another container, I am<br>>>>> just hitting the host, so for ssh for example, even if I try the<br>>>>> IPs 188.227.224.139 or 10.0.3.3 from the 10.0.3.2 container I<br>>>>> will actually connect to the physical hosts SSH daemon. Everything<br>>>>> works fine from one connecting from/to external machines. <br>>>>><br>>>>> What am I doing wrong. <br>>><br>>><br>>><br>>><br>>> Links:<br>>> ------<br>>> [1] <a href="http://10.0.3.0/24" target="_blank">http://10.0.3.0/24</a><br>>><br>>> _______________________________________________<br>>> lxc-users mailing list<br>>> <a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>>> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>><br>> _______________________________________________<br>> lxc-users mailing list<br>> <a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></div></div></div></div></div>
</blockquote></div><br></div>