[lxc-users] lxc and PREROUTING conflict
Fajar A. Nugraha
list at fajar.net
Tue Aug 5 10:31:48 UTC 2014
On Tue, Aug 5, 2014 at 5:07 PM, Jeroen Ooms <jeroen.ooms at stat.ucla.edu> wrote:
> I have a little bare-metal ubuntu 14.04 server at home running a web
> service. The http(s) daemon runs on port 8006 and 8007, and iptables
> is used to redirect incoming requests. Have been using this setup
> forever, works great:
>
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> iptables -A INPUT -p tcp --dport 8006 -j ACCEPT
> iptables -A INPUT -p tcp --dport 8007 -j ACCEPT
> iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8006
> iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8007
>
> Now on the same server I would like to run LXC, however I am running
> into a strange problem. Within the LXC guests on this server, all
> outgoing http(s) requests seem to hit the prerouting rule, and are
> redirected to localhost:8006/8007 on the server. So the guests are not
> running any httpd or anything, this is just to download a file from
> the web. So for example, on the guest if I do:
>
> curl http://www.google.com/foo
>
> I actually get the content of http://localhost:8006/foo on my host
> server. Naturally this makes the guest unworkable because the package
> manager can't get to the repositories because it is getting 404 for
> anything it needs.
>
> My question:
>
> - Is this expected? Why do outgoing http(s) requests from the lxc
> guest hit the prerouting rules in the host machine?
Because you specify "-p tcp --dport 80" without limiting anything else
(e.g. destination IP)
> - How can I can modify the iptables PREROUTING line so that it still
> redirects incoming http requests to port 8006/8007 on the server, but
> does not affect the lxc guests?
>
Try adding destination IP (e.g. "-d YOUR.PUBLIC.IP.ADDRESS") to your NAT rule
--
Fajar
More information about the lxc-users
mailing list