I've installed LXC on a debian/sid and created a jessie/amd64 container
sudo apt-get install lxc debootstrap libvirt-clients \ libvirt-daemon-system ebtables dnsmasq sudo lxc-create -t /usr/share/lxc/templates/lxc-debian -n debian then I start the bridge
sudo virsh net-start default This create 2 network if virbr0 and virbr0-nic, veth94ECU1 is created after lxc-start, is using the network 192.168.122.0/24 and the ip is assigned by dhcp.
The container start fine, it can reach the host and viceversa, I can ping it and if there's a web server running I can access with a browser from the host.
virsh net-start also add some rule to iptables (I don't have a firewall running on the host so by default everything is empty and ACCEPT)
iptables -L after net-start
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:bootpc iptables -L -t nat after net-start
Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination RETURN all -- 192.168.122.0/24 base-address.mcast.net/24 RETURN all -- 192.168.122.0/24 255.255.255.255 MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 /proc/sys/net/ipv4/ip_forward is 1
Now I'd like to NAT some host port to the container, finding a solution everything online seems to point in the same direction, something like that below should work:
iptables -A PREROUTING -t nat -p tcp --dport $HPORT -j DNAT --to $VRIP:$VRPORT iptables -A FORWARD -p tcp -d $VRIP --dport $VRPORT -j ACCEPT but it isn't, what I'm missing?
update
I switched from lxc-nat/virsh net-start (virbr0) to host nat (br0) following this post: Converting eth0 to br0 and getting all your LXC or LXD onto your LAN
It works, containers get the ip via dhcp from the LAN router and are in the same net, that's convenient because my router can NAT-port forward only LAN addresses.
Briefly, create a br0 interface in /etc/network/interfaces, like that:
auto br0 iface br0 inet static address 192.168.2.210 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 gateway 192.168.2.1 bridge-ifaces eth0 bridge-ports eth0 up ifconfig eth0 up iface eth0 inet manual then use lxc.network.link = br0 in the container config.
Still, if somebody know a way to NAT only some port without using an host bridge I'd like to hear about.
