Which chains are used for container to container? On Fri, Sep 19, 2014 at 5:29 PM, Shidan <[email protected]> wrote:
> First I spoke to soon (by saying the problem is fixed with dnat for the > output chain), now I can now ping the containers from the host and visa > versa but not container to container using the containers external IP. > > Regarding your method, if you have IP aliases for the external addresses > for the containers, the mac address will not be the containers address but > the hosts and will get filtered by a significant number of upstream > switches depending on their configuration ... so in this case you will need > to use something like ebtables and put your switch in promiscuous mode, > which I can't do. I can't use macvlan either as I am running unprivileged > containers and it seems to be me it's not a very tested feature either. > > So now I have: > > iptables -t nat -D POSTROUTING -s <internal_ip> ! -d > 10.0.3.0/24 -o eth0 -j SNAT --to-source <external_ip> > iptables -t nat -D PREROUTING -d <external_ip> -i eth0 -j > DNAT --to-destination <internal_ip> > iptables -t nat -D OUTPUT -d <external_ip> -j DNAT > --to-destination <internal_ip> > > What am I missing for container to container addressing using the external > IPs? > > -- Shidan Gouran > > > On Fri, Sep 19, 2014 at 12:51 AM, Dave Pedu <[email protected]> wrote: > > > > Instead of using iptables, you can give a container an network interface > (for a total of two). > > > > On my system I have an ethernet bridge, br0, with the host's main > interface on in. Then, in a container's config - > > > > # primary, public interface 192.168.1.x from my router > > lxc.network.type = veth > > lxc.network.hwaddr = 00:16:3e:e1:92:a3 > > lxc.network.link = br0 > > lxc.network.flags = up > > lxc.network.name = eth0 > > lxc.network.veth.pair = vethplex0 > > > > # second, private interface 10.0.3.x > > lxc.network.type = veth > > lxc.network.hwaddr = 00:16:3e:e1:92:a4 > > lxc.network.link = lxcbr0 > > lxc.network.flags = up > > lxc.network.name = eth1 > > lxc.network.veth.pair = vethplex1 > > > > > > On 2014-09-18 21:19, Shidan wrote: > >> > >> Just figured it out a fix, I think. For containers to address each > >> other by both external and internal IPs, I set the DNAT rule on the > >> OUTPUT and PREROUTING chain, instead of just on the PREROUTING as > >> above. > >> > >> On Thu, Sep 18, 2014 at 11:03 PM, Shidan <[email protected]> wrote: > >> > >>> I think the case of having a 1 to 1 assignment of external IPs to > >>> containers is an important use case to document somewhere. > >>> > >>> On Thu, Sep 18, 2014 at 12:09 PM, Shidan <[email protected]> wrote: > >>> > >>>> Hello I have multiple external IP addresses and set up iptables so > >>>> that each container is assigned one external IP on the lxcbr0 > >>>> NATed bridge in a 1 to 1 fashion similar to this example: > >>>> > >>>> root@SERVER:/var/log# iptables -t nat -L > >>>> Chain PREROUTING (policy ACCEPT) > >>>> target prot opt source destination > >>>> > >>>> DNAT all -- anywhere > >>>> 188.227.224.138 to:10.0.3.2 > >>>> DNAT all -- anywhere > >>>> 188.227.224.139 to:10.0.3.3 > >>>> > >>>> Chain INPUT (policy ACCEPT) > >>>> target prot opt source destination > >>>> > >>>> > >>>> Chain OUTPUT (policy ACCEPT) > >>>> target prot opt source destination > >>>> > >>>> > >>>> Chain POSTROUTING (policy ACCEPT) > >>>> target prot opt source destination > >>>> > >>>> SNAT all -- 10.0.3.2 !10.0.3.0/24 > >>>> [1] to:188.227.224.138 > >>>> SNAT all -- 10.0.3.3 !10.0.3.0/24 > >>>> [1] to:188.227.224.139 > >>>> > >>>> Now when I try to access a container from another container, I am > >>>> just hitting the host, so for ssh for example, even if I try the > >>>> IPs 188.227.224.139 or 10.0.3.3 from the 10.0.3.2 container I > >>>> will actually connect to the physical hosts SSH daemon. Everything > >>>> works fine from one connecting from/to external machines. > >>>> > >>>> What am I doing wrong. > >> > >> > >> > >> > >> Links: > >> ------ > >> [1] http://10.0.3.0/24 > >> > >> _______________________________________________ > >> lxc-users mailing list > >> [email protected] > >> http://lists.linuxcontainers.org/listinfo/lxc-users > > > > _______________________________________________ > > lxc-users mailing list > > [email protected] > > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
