[lxc-users] iptables (DNAT) woes
Chris Burroughs
chris.burroughs at gmail.com
Fri Apr 10 13:57:57 UTC 2015
To elaborate on 'does not work' what is happening going from container A
to B according to tcpdump on the host.
A: ack
B: syn+ack
A: rst
Based on the source and destination addresses the DNAT rule is
re-writing the address correcting, but for some reason it does not like
the response and RSTs it.
On 04/09/2015 04:39 PM, Chris Burroughs wrote:
> I have an existing application that relies on some custom iptables logic
> to function inside our network. It uses several rules along the lines of:
>
> iptables -t nat -A OUTPUT -j DNAT -p tcp --dst x.x.x.x --dport 7000 -o
> eth0 --to-destination y.y.y.y
>
> There are several nodes and there is a DNAT rule for each node. I am
> using centos6 privileged containers with macvlan. iptables appears to
> basically work. For example, dropping all ICMP traffic or blocking a
> specific port acts has expected. However, DNAT rules like the above
> only work [1] if containers that happen to be colocated on the same
> physical host.
>
> I could imagine ways that lxc + macvlan + iptables could result in some
> source IP based edge cases, but I'm very confused what is happening with
> destination based rules.
>
> [1] Tested with telnet + nc to rule out anything application specific.
More information about the lxc-users
mailing list