[lxc-users] Internal networking of containers

Dave Pedu lxc at davepedu.com
Fri Sep 19 04:51:04 UTC 2014


Instead of using iptables, you can give a container an network interface 
(for a total of two).

On my system I have an ethernet bridge, br0, with the host's main 
interface on in. Then, in a container's config -

# primary, public interface 192.168.1.x from my router
lxc.network.type = veth
lxc.network.hwaddr = 00:16:3e:e1:92:a3
lxc.network.link = br0
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.veth.pair = vethplex0

# second, private interface 10.0.3.x
lxc.network.type = veth
lxc.network.hwaddr = 00:16:3e:e1:92:a4
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.name = eth1
lxc.network.veth.pair = vethplex1

On 2014-09-18 21:19, Shidan wrote:
> Just figured it out a fix, I think. For containers to address each
> other by both external and internal IPs, I set the DNAT rule on the
> OUTPUT and PREROUTING chain, instead of just on the PREROUTING as
> above. 
> 
> On Thu, Sep 18, 2014 at 11:03 PM, Shidan <shidan at gmail.com> wrote:
> 
>> I think the case of having a 1 to 1 assignment of external IPs to
>> containers is an important use case to document somewhere. 
>> 
>> On Thu, Sep 18, 2014 at 12:09 PM, Shidan <shidan at gmail.com> wrote:
>> 
>>> Hello I have multiple external IP addresses and set up iptables so
>>> that each container is assigned one external IP on the lxcbr0
>>> NATed bridge in a 1 to 1 fashion similar to this example:
>>> 
>>> root at SERVER:/var/log# iptables -t nat -L
>>> Chain PREROUTING (policy ACCEPT)
>>> target     prot opt source               destination  
>>>       
>>> DNAT       all  --  anywhere          
>>>   188.227.224.138     to:10.0.3.2
>>> DNAT       all  --  anywhere          
>>>   188.227.224.139     to:10.0.3.3
>>> 
>>> Chain INPUT (policy ACCEPT)
>>> target     prot opt source               destination  
>>>       
>>> 
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination  
>>>       
>>> 
>>> Chain POSTROUTING (policy ACCEPT)
>>> target     prot opt source               destination  
>>>       
>>> SNAT       all  --  10.0.3.2            !10.0.3.0/24
>>> [1]          to:188.227.224.138
>>> SNAT       all  --  10.0.3.3            !10.0.3.0/24
>>> [1]          to:188.227.224.139
>>> 
>>> Now when I try to access a container from another container, I am
>>> just hitting the host, so for ssh for example, even if I try the
>>> IPs 188.227.224.139 or 10.0.3.3 from the 10.0.3.2 container I
>>> will actually connect to the physical hosts SSH daemon. Everything
>>> works fine from one connecting from/to external machines. 
>>> 
>>> What am I doing wrong. 
> 
> 
> 
> Links:
> ------
> [1] http://10.0.3.0/24
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list