[Lxc-users] lxc networking using nat

Serge E. Hallyn serue at us.ibm.com
Mon Apr 5 21:29:10 UTC 2010 

Quoting Daniel Lezcano (daniel.lezcano at free.fr):
> Serge E. Hallyn wrote:
> >Hi Daniel,
> >
> >lxc at the moment (AFAICS) won't work for me on my laptop
> >bc of bridges and macvlan not working with wireless
> >devices.  (I have explicitly heard that bridging won't
> >work with wireless, but I hadn't heard that about macvlan -
> >but quick tests with modifying lxc-macvlan.conf did not
> >succeed).
> >
> >However, I can manually create a networked container using
> >veth devices and ip tables:
> >
> >on HOST:
> >ip link add type veth
> >ifconfig veth0 192.168.1.1 up
> >ifconfig veth1 192.168.1.2 up
> >route add -host 192.168.1.2 dev veth0
> >
> >on VM:
> >ns_exec -cmpiun /bin/bash
> >hostname vm1
> >517  mount --make-rslave /
> >mount -t tmpfs tmp /tmp
> >ifconfig veth1 192.168.1.2 up
> >route add -net default gw 192.168.1.1
> >mount --bind /etc/resolv.conf.vm1 /etc/resolv.conf
> >
> >back on HOST:
> >ip link set veth1 netns 11741
> >echo 1 > /proc/sys/net/ipv4/ip_forward
> >iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
> >iptables --append FORWARD --in-interface veth0 -j ACCEPT
> >
> >Any idea of the best way to implement this in lxc?  Just add some
> >code into setup_netdev() to recognize and handle a 'use_nat' option?
> >
> >Sure would be nice to be able to simply use lxc on my laptop  :)
> >
> >thanks,
> >-serge
> 
> Hi Serge,
> 
> You can setup your host with a bridge, ip_forwarding and a single
> iptables rule.
> 
> 1 - create a bridge with an IP address used as the default gateway address
> 
> 2 - use the lxc configuration:
> 
> lxc.network.type = veth
> lxc.network.link = br0
> 
> 3 - set on your host the ip forwarding:
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> 4 - set the iptables rule
> 
> sudo /sbin/iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
> 
> This steps assume your container does dhcp and you have a dnsmasq
> setup running on your host and providing the ip addresses for the
> containers' network.
> 
> At present lxc does not provide route configuration, hence if dhcp
> is not used, your container has to set the network with the route
> etc ...

Hmm, that sounds perfect, since I can do the setup once for all
containers.  I'll give it a shot - thanks.

-serge

More information about the lxc-users mailing list