On Tue, Aug 5, 2014 at 5:07 PM, Jeroen Ooms <jeroen.o...@stat.ucla.edu> wrote: > I have a little bare-metal ubuntu 14.04 server at home running a web > service. The http(s) daemon runs on port 8006 and 8007, and iptables > is used to redirect incoming requests. Have been using this setup > forever, works great: > > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp --dport 443 -j ACCEPT > iptables -A INPUT -p tcp --dport 8006 -j ACCEPT > iptables -A INPUT -p tcp --dport 8007 -j ACCEPT > iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8006 > iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port > 8007 > > Now on the same server I would like to run LXC, however I am running > into a strange problem. Within the LXC guests on this server, all > outgoing http(s) requests seem to hit the prerouting rule, and are > redirected to localhost:8006/8007 on the server. So the guests are not > running any httpd or anything, this is just to download a file from > the web. So for example, on the guest if I do: > > curl http://www.google.com/foo > > I actually get the content of http://localhost:8006/foo on my host > server. Naturally this makes the guest unworkable because the package > manager can't get to the repositories because it is getting 404 for > anything it needs. > > My question: > > - Is this expected? Why do outgoing http(s) requests from the lxc > guest hit the prerouting rules in the host machine?
Because you specify "-p tcp --dport 80" without limiting anything else (e.g. destination IP) > - How can I can modify the iptables PREROUTING line so that it still > redirects incoming http requests to port 8006/8007 on the server, but > does not affect the lxc guests? > Try adding destination IP (e.g. "-d YOUR.PUBLIC.IP.ADDRESS") to your NAT rule -- Fajar _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users