Just figured it out a fix, I think. For containers to address each other by both external and internal IPs, I set the DNAT rule on the OUTPUT and PREROUTING chain, instead of just on the PREROUTING as above.
On Thu, Sep 18, 2014 at 11:03 PM, Shidan <[email protected]> wrote: > I think the case of having a 1 to 1 assignment of external IPs to > containers is an important use case to document somewhere. > > On Thu, Sep 18, 2014 at 12:09 PM, Shidan <[email protected]> wrote: > >> Hello I have multiple external IP addresses and set up iptables so that >> each container is assigned one external IP on the lxcbr0 NATed bridge in >> a 1 to 1 fashion similar to this example: >> >> root@SERVER:/var/log# iptables -t nat -L >> Chain PREROUTING (policy ACCEPT) >> target prot opt source destination >> DNAT all -- anywhere 188.227.224.138 to:10.0.3.2 >> DNAT all -- anywhere 188.227.224.139 to:10.0.3.3 >> >> >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain POSTROUTING (policy ACCEPT) >> target prot opt source destination >> SNAT all -- 10.0.3.2 !10.0.3.0/24 to: >> 188.227.224.138 >> SNAT all -- 10.0.3.3 !10.0.3.0/24 to: >> 188.227.224.139 >> >> >> Now when I try to access a container from another container, I am just >> hitting the host, so for ssh for example, even if I try the IPs >> 188.227.224.139 or 10.0.3.3 from the 10.0.3.2 container I will actually >> connect to the physical hosts SSH daemon. Everything works fine from one >> connecting from/to external machines. >> >> What am I doing wrong. >> > >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
