[lxc-users] lxc and PREROUTING conflict

Jeroen Ooms jeroen.ooms at stat.ucla.edu
Tue Aug 5 10:07:20 UTC 2014


I have a little bare-metal ubuntu 14.04 server at home running a web
service. The http(s) daemon runs on port 8006 and 8007, and iptables
is used to redirect incoming requests. Have been using this setup
forever, works great:

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -A INPUT -p tcp --dport 8006 -j ACCEPT
    iptables -A INPUT -p tcp --dport 8007 -j ACCEPT
    iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8006
    iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8007

Now on the same server I would like to run LXC, however I am running
into a strange problem. Within the LXC guests on this server, all
outgoing http(s) requests seem to hit the prerouting rule, and are
redirected to localhost:8006/8007 on the server. So the guests are not
running any httpd or anything, this is just to download a file from
the web. So for example, on the guest if I do:

    curl http://www.google.com/foo

I actually get the content of http://localhost:8006/foo on my host
server. Naturally this makes the guest unworkable because the package
manager can't get to the repositories because it is getting 404 for
anything it needs.

My question:

 - Is this expected? Why do outgoing http(s) requests from the lxc
guest hit the prerouting rules in the host machine?
 - How can I can modify the iptables PREROUTING line so that it still
redirects incoming http requests to port 8006/8007 on the server, but
does not affect the lxc guests?

Thank you very much,

Jeroen


More information about the lxc-users mailing list