[Lxc-users] Routing additional public IP without exposing to host

[Robert Pendell]

Ok... so this might not even be possible so this will be theoretical
speak only.  I don't have a configuration at the moment as the
progress I made before was wiped when I gave up before.  I found out
about some limitations from my host so I was wondering if this scheme
was possible.

Both IP1 and IP2 are on different subnets.  Statically assigned by provider.
Container1 will be a container that I want to expose to the world
bypassing iptables.

There is an additional issue here.  The container's mac address can't
be leaked over the bridge.  It must appear to be coming from the host.
 Reason is because switch security doesn't allow unauthorized mac
addresses to route.

Host has IP1 on br0
Host routes IP2 to Container1 but it isn't assigned to the interface?
(eg I don't want any services on the host to be able to bind to IP2 at
all)

Container1 handles IP2 on virtual eth0
Container2 (and so forth) are NAT routed for testing

Can this be done at all?  Any input will be extremely useful.

Robert Pendell
shinji at elite-systems.org
A perfect world is one of chaos.