[lxc-users] Can I setup a private nat ipv4 and a public ipv6 address at same time for a lxc2 container?

littlebat dashing.meng at gmail.com
Sat Jun 3 02:31:44 UTC 2017 

Hi,
Thanks the answers of all. This reply is also to the answer of Anrey Repin "How
about adding two NICs to the container:  one for private networking (via
lxdbridge) and one for public networking (via macvlan)?".

I am not familar with ipv6, but, at least, I found a way to resovle the
question, by the hint of Anry Repin, to create another NIC in the
container. But not macvlan, the another is "host-shared bridge" described
in my first post. So, the another NIC in the container linked to the
host-shared bridge in host, this NIC in the container attaching a ipv6
address can be public accessiable.

The macvlan didn't work for me.

And, just setup a ipv6 address in container without modifing other didn't
work for me yet.

The only way the container ipv6 communicating with public is creating a
bridge in host, container can link bridge, bridge can reach public internet.

And,if bridge is host-shared, then container can access public internet
without further setup.

If bridge is "independent bridge" described in my first post, then I must
use ipv6 forward to communicate bridge with main NIC in host. This if my
"NAT ipv6". I don't know if there is "NAT" concept in ipv6, but it works in
this way, just like ipv4 nat.

I decribe my 'NAT ipv6" more detail.

For example:
Main NIC in host: 8:8:8:8::1/64
"independent bridge" br0 in host: 8:8:8:8:1:1:1:10/112
NIC in container: 8:8:8:8:1:1:1:20/112
Set "net.ipv6.conf.all.forwarding=1" in /etc/sysctl.conf in host, then use
ip6tables to forward packet:
ip6tables -t nat -A PREROUTING -i br0 -p tcp -m tcp --dport 2222 -j DNAT
--to-destination 8:8:8:8:1:1:1:20
ip6tables -t nat -A POSTROUTING -s 8:8:8:8:1:1:1:0/112 ! -d
8:8:8:8:1:1:1:0/112 -j MASQUERADE

In any way, the question is resolved, if there are not further needs, I
won't spend time on the detail about ipv6 or something else. If anyone is
interested in this question, you can try youself, my test platform is
Vultr.com.

Thanks again.

On 2 June 2017 at 22:46, Andrey Repin <anrdaemon at yandex.ru> wrote:

> Greetings, littlebat!
>
> > I have studied my question several days and searched many online
> resource,
> > but didn't resolve this. The detail is too long, I describe a brief
> version below:
>
> > I have a debian 9 host server installed lxc2 server, the host server has
> > only one pulic ipv4 address, suppose it is 8.8.8.8, and a public /64
> subnet
> > ipv6 pool, suppose it is 8:8:8:8::/64, and the eth0 of host ipv6 is:
> 8:8:8:8::1/64.
>
> > My goal is building the lxc unprivileged container, with a private nat
> ipv4
> > address, suppose it is 10.1.0.10, so I use ip forward to access container
> > from internet using public ipv4 plus port (suppose 8.8.8.8:2222forward
> > to/from 10.1.0.10:22). And, at same time, I want assign container a
> public
> > ipv6 address or ipv6 subnet( /112, can it be public accessed? ), so I can
> > access container from internet using public ipv6(suppose 8:8:8:8::10/64
> port
> > 22 or 8:8:8:8::10/112 port 22 ? ). For simplifing question, suppose only
> > assign a public ipv6 (not a public ipv6 subnet) address to the container.
>
> > Util today, I can only setup both private nat ipv4(10.1.0.10) and private
> > nat ipv6(8:8:8:8::10/112)
>
> There's no such thing as NAT in IPv6.
>
> > for the container, open ipv4 and ipv6 forward in /etc/sysctl.conf, and
> using
> > iptables and ip6tables to forward public traffic to or from
> > container(8.8.8.8:2222<->10.1.0.10:22,  8:8:8:8::1/64 port 2222 <->
> > 8:8:8::10/112 port 22). This is done by create a "2. independent
> bridge"(a
> > different bridge out of thin air and link your containers together
> > on this bridge, but use forwarding to get it out on the internet or to
> get
> > traffic into it. debian wiki: https://wiki.debian.org/LXC/SimpleBridge).
> > reference: LXC host featuring IPv6 connectivity
> > https://blog.cepharum.de/en/post/lxc-host-featuring-ipv6-
> connectivity.html
>
> > And, I can create a "1. host-shared bridge"(a bridge out of your main
> > network interface which will hold both the host's IP and the container's
> IP
> > addresses. debian wiki: https://wiki.debian.org/LXC/SimpleBridge).
> Then, I
> > can assign a public ipv6 address to the container. But, I can't assign a
> > private nat ipv4 address to the container now. So, it is no way to public
> > access container using ipv4 address(because the sole public ipv4 address
> only avalable on host network card).
>
> > My question is:
> > 1, Can I setup a private nat ipv4 and a public ipv6 address at same time
> for a lxc2 container?
>
> Yes.
>
> > 2, How to do it?
>
> Just route IPv6 addresses to container.
> I.e. dedicate an IPv6 subnet to the containers on your bridge and just
> assign
> IPv6 addresses in any way you could.
>
> > any idea or online resource link is welcome.
>
> What you must understand is that IPv6 and IPv4 is a two separate IP stacks.
> Setup of one does not interfere with another, not in any way depend on it,
> unless YOU make it so.
>
>
> --
> With best regards,
> Andrey Repin
> Friday, June 2, 2017 17:42:08
>
> Sorry for my terrible english...
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170603/594e5bd0/attachment.html>

More information about the lxc-users mailing list