On Sun, Sep 2, 2012 at 4:56 PM, groupie <stopmakingse...@gmx.de> wrote: > Hi list! > > I just came over the fact that the iptables config set in the lxc-net > upstart job does also rewrite connections between hosts on the bridge. I > added a rule before the masquerade to prevent this and make sure, that > hosts on the same net bound to the bridge can talk without rewriting. > > iptables -A POSTROUTING -s ${LXC_NETWORK} -d ${LXC_NETWORK} -t nat -j ACCEPT > > Is that something that should be added in general? Dunno, maybe some > people want rewriting here?
When you create new wireless network on ubuntu host (e.g. for sharing the wired connection), network-manager would setup a nat like this: Sep 2 17:37:18 DELL NetworkManager[2118]: <info> Executing: /sbin/iptables --table nat --insert POSTROUTING --source 10.42.0.0/255.255.255.0 ! --destination 10.42.0.0/255.255.255.0 --jump MASQUERADE IMHO it should also be applicable for lxc: only setup MASQ nat if the packet is going to external network. Following the same principal. the rule on lxc-net.conf should probably be something like iptables -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -t nat -j MASQUERADE -- Fajar ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users