[Lxc-users] Routing additional public IP without exposing to host

Michael H. Warfield mhw at WittsEnd.com
Thu Aug 29 23:09:42 UTC 2013 

On Thu, 2013-08-29 at 11:47 -0400, Robert Pendell wrote: 
> Ok... so this might not even be possible so this will be theoretical
> speak only.  I don't have a configuration at the moment as the
> progress I made before was wiped when I gave up before.  I found out
> about some limitations from my host so I was wondering if this scheme
> was possible.

I think this is very possible.  At first, I thought you were asking
about vampire routing where machines share an IP address (or one machine
is sitting on the path but acting as a vampire for an IP and MAC
address) but you're really talking about two IP addresses on the same
MAC address, sort of what cable /dsl modems do when you allocate a
passthrough host while they maintain minimal admin access.

Ok, so that, in and of itself, is actually pretty trivial.  The
splitting of the two IP addresses to two machines (virtual or otherwise)
while sharing a common MAC address is what gets entertaining.

In this case, I think you need to get really intimately up close and
personal with ebtables.  Specifically with MAC level NAT in the brouting
chain.  I've never done this myself (but I have explored the
possibilities for vampire routing) but I think that can provide you with
the hooks that will do what you want to do.
> Both IP1 and IP2 are on different subnets.  Statically assigned by provider.
> Container1 will be a container that I want to expose to the world
> bypassing iptables.
> 
> There is an additional issue here.  The container's mac address can't
> be leaked over the bridge.  It must appear to be coming from the host.
>  Reason is because switch security doesn't allow unauthorized mac
> addresses to route.
> 
> Host has IP1 on br0
> Host routes IP2 to Container1 but it isn't assigned to the interface?
> (eg I don't want any services on the host to be able to bind to IP2 at
> all)
> 
> Container1 handles IP2 on virtual eth0
> Container2 (and so forth) are NAT routed for testing
> 
> Can this be done at all?  Any input will be extremely useful.
> 
> Robert Pendell
> shinji at elite-systems.org
> A perfect world is one of chaos.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130829/74c511cf/attachment.pgp>

More information about the lxc-users mailing list