On Mon, Sep 15, 2014 at 3:34 PM, Adam Gold <[email protected]> wrote: >> Just a wild guess, I'm assuming macvlan has problems with bridge interface. >> >> Have you tried using a physical interface (e.g. eth0) as >> lxc.network.link? Or better yet, since you already create a bridge, >> use lxc.network.type = veth? >> > > I should give just a little bit more context. I'm trying to set up a > DMZ container which would service a private subnet of containers (as a > choke firewall, reverse proxy etc). The host's physical interface, > bond0, has been attached to br0. I initially tried creating a container > (ct1) with two veth interfaces, one attached to br0 for external > internet connectivity, the other attached to the default lxcbr0. I > created a second container (ct2) with a single veth interface attached > to lxcbr0. Ct1 was accessible from the outside world and was able to > ping ct2. However getting to ct2 from the outside world (e.g. to ssh in > and modify configs - easier than using lxc console or doing a double ssh > via ct1) has been problematic. > > I'm wondering whether this is an iptables issue. On ct1, cat > /proc/sys/net/ipv4/ip_forward gives me a result of 1 and I'm using > fairly simple rules to forward from ct1 to ct2 as follows (eth0 = > exernal; eth1 = internal) > > ## setup forwarding > -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j > ACCEPT > -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT > -t nat -A POSTROUTING -s subnet_addresses -o eth0 -j MASQUERADE > ## NAT for ssh > -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d > ct1_external_ip --dport 10088 -j DNAT --to ct2:22 > -A FORWARD -i eth0 -o $eth1 -p tcp --sport 1024:65535 -d ct2_ip --dport > 22 -j ACCEPT >
The "official" networking guide for lxc on Ubuntu : https://help.ubuntu.com/14.04/serverguide/lxc.html#lxc-network At first glance your config looks correct, but the most obvious possible source of problem would be "-i eth0". You said that your public IP is now on br0. I'd try to remove the "-i" part altogether, to see if it is indeed the source of problem. > Apologies, total noob mistake for not providing this additional > background. I've used these iptables rules with xen and kvm in a > similar dmz style setup before with no problems but if there's something > specific I need to know for lxc that would be great to hear about. > > Of course I'm still curious why the macvlan isn't working and would like > to get that set up as well! Good luck. Personally I don't see a use for macvlan in my setup, since bridge works fine. And I also have a somewhat-complicated-direct-route-and-arp setup (which is in a way similar to proxyarp, but use less IPs) if I can't use a bridge for whatever reason (e.g. when provider only allows a single MAC). -- Fajar _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
