On Sun, Sep 2, 2012 at 4:56 PM, groupie <stopmakingse...@gmx.de> wrote:
> Hi list!
>
> I just came over the fact that the iptables config set in the lxc-net
> upstart job does also rewrite connections between hosts on the bridge. I
> added a rule before the masquerade to prevent this and make sure, that
> hosts on the same net bound to the bridge can talk without rewriting.
>
> iptables -A POSTROUTING -s ${LXC_NETWORK} -d ${LXC_NETWORK} -t nat -j ACCEPT
>
> Is that something that should be added in general? Dunno, maybe some
> people want rewriting here?
When you create new wireless network on ubuntu host (e.g. for sharing
the wired connection), network-manager would setup a nat like this:
Sep 2 17:37:18 DELL NetworkManager[2118]: <info> Executing:
/sbin/iptables --table nat --insert POSTROUTING --source
10.42.0.0/255.255.255.0 ! --destination 10.42.0.0/255.255.255.0 --jump
MASQUERADE
IMHO it should also be applicable for lxc: only setup MASQ nat if the
packet is going to external network. Following the same principal. the
rule on lxc-net.conf should probably be something like
iptables -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -t nat
-j MASQUERADE
--
Fajar
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
