[lxc-users] Internet to a container with local/private IP ( NAT ? )

Vijay Viswanathan vijay.vishy at gmail.com
Fri Jun 27 16:08:26 UTC 2014


oops, I spoke too soon.
the commands on that link didnt work. but it looks I need something to
that effect.

iptables --flush
 # iptables -A INPUT    -p udp -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
 # iptables -A INPUT    -p tcp -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
 # iptables -A FORWARD  -p udp -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
 # iptables -A FORWARD  -p tcp -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
 # Do NAT for outbound container traffic, so the responses route properly.
iptables -A POSTROUTING -t nat -s 192.168.10.0/24 -j MASQUERADE
 # Redirect inbound traffic for port 1234 to one of our guests.  You need to
 # specify your host's IP address where I have 10.4.38.182 or else your
 # own outbound port 80 traffic will get redirected to the container, too.
iptables -t nat -A PREROUTING -p tcp -d 10.4.38.182 --dport 1234 -j
DNAT --to 192.168.10.2
 # Actually accept the traffic the previous line redirected.
iptables -A FORWARD -p tcp -d  192.168.10.2 --dport 1234 -j ACCEPT

I guess I got to tcpdump on br0 to see if eth1 is forwarding the
traffic to begin with.

Thx.

 192.168.10.0/24 is the container network with  192.168.10.1 as the
bridge connecting container/veth  192.168.10.2 ( where my server is
running on 1234 )
10.4.38.182 is the host


On Thu, Jun 26, 2014 at 3:53 PM, Vijay Viswanathan
<vijay.vishy at gmail.com> wrote:
> never mind I found the tips from :
> http://www.pdxsys.com/articles/lxc/lxc2/ and got it working.
>
> Thx.
>
>
>
> On Thu, Jun 26, 2014 at 10:35 AM, Vijay Viswanathan
> <vijay.vishy at gmail.com> wrote:
>> I cannot pickup IP from 10.4.38.0/23 network for the containers.
>> I thought I picked up IP from 192.168.10.0/24. Isnt 192.168.10.2 from there ?
>> I know that some IP Masquerade/NAT setting is missing but dont know how to.
>>
>> All I need is:
>> IN:
>> route/foward packets of 192.168.10.0/24 network that are received on eth1 to br0
>> [ also,
>> here I will need to forward port 22 traffic to lxc2/veth2
>> foward port 80 traffic to lxc3/veth3
>> ]
>>
>> OUT:
>> route/forward packets from br0 that are not 192.168.10.0/24 through
>> eth1 and put a br0 IP label on it
>>
>> typical NAT with a help of some bridge and ip_forward ?
>>
>>
>>
>> tried :
>>
>> # brctl show
>> bridge name     bridge id               STP enabled     interfaces
>> br0             8000.fe264e1e9658       no              veth2
>>                                                         veth3
>> # brctl addif br0 eth1
>> # brctl show
>> bridge name     bridge id               STP enabled     interfaces
>> br0             8000.0000deadbeee       no              eth1
>>                                                         veth2
>>                                                         veth3
>>
>>
>> Thx.
>>
>>
>> On Thu, Jun 26, 2014 at 10:11 AM, Tamas Papp <tompos at martos.bme.hu> wrote:
>>>
>>> On 06/26/2014 07:00 PM, Vijay Viswanathan wrote:
>>>>
>>>> Hi
>>>> My interface looks like :
>>>>   br0[192.168.10.1] <-> veth2 [192.168.10.2]
>>>>   br0 <-> veth3 [192.168.10.3]
>>>> &
>>>>   an interface eth1 [ 10.4.38.222 ]
>>>> all three [br0, veth2, veth3 ] are in the same network [ 192.168.10. ]
>>>> so they are able to ping one another ( I set up the route for it )
>>>>
>>>> Now how do I ping-in/ping-out/connect to the container from my next
>>>> machine [10.4.38.221] that is in the 10.4.3x network ?
>>>>
>>>> ip_forward has 1 in it.
>>>>
>>>> IP forwarding should help here but it doesnt seem to be.
>>>> my iptables has nothing in it . I tried to iptables (  iptables -t nat
>>>> -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j MASQUERADE ) with no
>>>> effect
>>>>
>>>>
>>>> ---------
>>>>
>>>> # ifconfig from host:
>>>> br0       Link encap:Ethernet  HWaddr FE:26:4E:1E:96:58
>>>>            inet addr:192.168.10.1  Bcast:192.168.10.255
>>>> Mask:255.255.255.0
>>>>            inet6 addr: fe80::6c17:ebff:fe0b:4960/64 Scope:Link
>>>>            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>>>>            RX packets:935 errors:0 dropped:0 overruns:0 frame:0
>>>>            TX packets:463 errors:0 dropped:0 overruns:0 carrier:0
>>>>            collisions:0 txqueuelen:0
>>>>            RX bytes:66496 (64.9 KiB)  TX bytes:39538 (38.6 KiB)
>>>>
>>>> eth0      Link encap:Ethernet  HWaddr 00:00:DE:AD:BE:EF
>>>>            UP BROADCAST MULTICAST  MTU:1500  Metric:1
>>>>            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>>            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>            collisions:0 txqueuelen:1000
>>>>            RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>>>>
>>>> eth1      Link encap:Ethernet  HWaddr 00:00:DE:AD:BE:EE
>>>>            inet addr:10.4.38.182  Bcast:10.4.39.255  Mask:255.255.254.0
>>>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>            RX packets:134332 errors:0 dropped:0 overruns:0 frame:0
>>>>            TX packets:1961 errors:0 dropped:0 overruns:0 carrier:0
>>>>            collisions:0 txqueuelen:1000
>>>>            RX bytes:19183426 (18.2 MiB)  TX bytes:169630 (165.6 KiB)
>>>>
>>>> eth1:0    Link encap:Ethernet  HWaddr 00:00:DE:AD:BE:EE
>>>>            inet addr:192.168.17.10  Bcast:192.168.17.255
>>>> Mask:255.255.255.0
>>>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>
>>>> lo        Link encap:Local Loopback
>>>>            inet addr:127.0.0.1  Mask:255.0.0.0
>>>>            inet6 addr: ::1/128 Scope:Host
>>>>            UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>>>            RX packets:12 errors:0 dropped:0 overruns:0 frame:0
>>>>            TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
>>>>            collisions:0 txqueuelen:0
>>>>            RX bytes:756 (756.0 B)  TX bytes:756 (756.0 B)
>>>>
>>>> veth2     Link encap:Ethernet  HWaddr FE:E5:84:6E:5F:58
>>>>            inet6 addr: fe80::fce5:84ff:fe6e:5f58/64 Scope:Link
>>>>            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>>>>            RX packets:475 errors:0 dropped:0 overruns:0 frame:0
>>>>            TX packets:896 errors:0 dropped:0 overruns:0 carrier:0
>>>>            collisions:0 txqueuelen:1000
>>>>            RX bytes:40254 (39.3 KiB)  TX bytes:59336 (57.9 KiB)
>>>>
>>>> veth3     Link encap:Ethernet  HWaddr FE:26:4E:1E:96:58
>>>>            inet6 addr: fe80::fc26:4eff:fe1e:9658/64 Scope:Link
>>>>            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>>>>            RX packets:441 errors:0 dropped:0 overruns:0 frame:0
>>>>            TX packets:893 errors:0 dropped:0 overruns:0 carrier:0
>>>>            collisions:0 txqueuelen:1000
>>>>            RX bytes:37874 (36.9 KiB)  TX bytes:58770 (57.3 KiB)
>>>>
>>>> # route
>>>> Kernel IP routing table
>>>> Destination     Gateway         Genmask         Flags Metric Ref    Use
>>>> Iface
>>>> default         10.4.39.254     0.0.0.0         UG    0      0        0
>>>> eth1
>>>> 10.4.38.0       *               255.255.254.0   U     0      0        0
>>>> eth1
>>>> 192.168.10.0    *               255.255.255.0   U     0      0        0
>>>> br0
>>>> 192.168.17.0    *               255.255.255.0   U     0      0        0
>>>> eth1
>>>> # iptables --list
>>>> Chain INPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>> #
>>>
>>>
>>> If I were you, I would use bridged network setup and pick up IP for
>>> containers from the main network (10.4.38.0/23) since it's also a private
>>> network. If it's not possible for some reason, then you still can use IP
>>> from 192.168.10.0/24.
>>> It unnecessary to make it more complicated. Why would you do that?
>>>
>>> tamas
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list