On Sun, Sep 2, 2012 at 4:56 PM, groupie <stopmakingse...@gmx.de> wrote:
> Hi list!
>
> I just came over the fact that the iptables config set in the lxc-net
> upstart job does also rewrite connections between hosts on the bridge. I
> added a rule before the masquerade to prevent this and make sure, that
> hosts on the same net bound to the bridge can talk without rewriting.
>
> iptables -A POSTROUTING -s ${LXC_NETWORK} -d ${LXC_NETWORK} -t nat -j ACCEPT
>
> Is that something that should be added in general? Dunno, maybe some
> people want rewriting here?

When you create new wireless network on ubuntu host (e.g. for sharing
the wired connection), network-manager would setup a nat like this:

Sep  2 17:37:18 DELL NetworkManager[2118]: <info> Executing:
/sbin/iptables --table nat --insert POSTROUTING --source
10.42.0.0/255.255.255.0 ! --destination 10.42.0.0/255.255.255.0 --jump
MASQUERADE

IMHO it should also be applicable for lxc: only setup MASQ nat if the
packet is going to external network. Following the same principal. the
rule on lxc-net.conf should probably be something like

        iptables -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -t nat
-j MASQUERADE

-- 
Fajar

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to