[lxc-users] iptables (DNAT) woes
Chris Burroughs
chris.burroughs at gmail.com
Thu Apr 9 20:39:41 UTC 2015
I have an existing application that relies on some custom iptables logic
to function inside our network. It uses several rules along the lines of:
iptables -t nat -A OUTPUT -j DNAT -p tcp --dst x.x.x.x --dport 7000 -o
eth0 --to-destination y.y.y.y
There are several nodes and there is a DNAT rule for each node. I am
using centos6 privileged containers with macvlan. iptables appears to
basically work. For example, dropping all ICMP traffic or blocking a
specific port acts has expected. However, DNAT rules like the above
only work [1] if containers that happen to be colocated on the same
physical host.
I could imagine ways that lxc + macvlan + iptables could result in some
source IP based edge cases, but I'm very confused what is happening with
destination based rules.
[1] Tested with telnet + nc to rule out anything application specific.
More information about the lxc-users
mailing list