Re: [lxc-users] Internal networking of containers

Thu, 18 Sep 2014 21:59:01 -0700

Instead of using iptables, you can give a container an network interface (for a total of two).
On my system I have an ethernet bridge, br0, with the host's main interface on in. Then, in a container's config - 

# primary, public interface 192.168.1.x from my router
lxc.network.type = veth
lxc.network.hwaddr = 00:16:3e:e1:92:a3
lxc.network.link = br0
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.veth.pair = vethplex0

# second, private interface 10.0.3.x
lxc.network.type = veth
lxc.network.hwaddr = 00:16:3e:e1:92:a4
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.name = eth1
lxc.network.veth.pair = vethplex1

On 2014-09-18 21:19, Shidan wrote:

Just figured it out a fix, I think. For containers to address each
other by both external and internal IPs, I set the DNAT rule on the
OUTPUT and PREROUTING chain, instead of just on the PREROUTING as
above. 

On Thu, Sep 18, 2014 at 11:03 PM, Shidan <[email protected]> wrote:


I think the case of having a 1 to 1 assignment of external IPs to
containers is an important use case to document somewhere. 

On Thu, Sep 18, 2014 at 12:09 PM, Shidan <[email protected]> wrote:


Hello I have multiple external IP addresses and set up iptables so
that each container is assigned one external IP on the lxcbr0
NATed bridge in a 1 to 1 fashion similar to this example:

root@SERVER:/var/log# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination  
      
DNAT       all  --  anywhere          
  188.227.224.138     to:10.0.3.2
DNAT       all  --  anywhere          
  188.227.224.139     to:10.0.3.3

Chain INPUT (policy ACCEPT)
target     prot opt source               destination  
      

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  
      

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination  
      
SNAT       all  --  10.0.3.2            !10.0.3.0/24
[1]          to:188.227.224.138
SNAT       all  --  10.0.3.3            !10.0.3.0/24
[1]          to:188.227.224.139

Now when I try to access a container from another container, I am
just hitting the host, so for ssh for example, even if I try the
IPs 188.227.224.139 or 10.0.3.3 from the 10.0.3.2 container I
will actually connect to the physical hosts SSH daemon. Everything
works fine from one connecting from/to external machines. 

What am I doing wrong. 




Links:
------
[1] http://10.0.3.0/24

_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users

_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users





















					Reply via email to