Forward and map port to container

Hi

I’m trying to forward a port to a container, with some mapping. In this case from tcp 7777 (outside world) to the container default port of the icecast2 server for some tests… But it does not work. And i’m not sure, whats wrong. Googling around this forum an others gives me solutions with different firewalls and LXC commands. Think thats not necessary…

Btw, the container ip stays the same every time?

invcus network forward create incusbr0 10.217.37.1
incus network forward port add incusbr0 10.217.37.1 tcp 7777 10.217.37.202 8000

thanks at adv… Rüdiger

network forward create is meant for additional IP addresses that then point to instances, like floating IPs in the cloud.

In your case, as you seem to want to forward a port on the host to an instance, what you want instead is a proxy device.

incus config device add YOUR-INSTANCE port-8000 proxy listen=tcp:0.0.0.0:8000 connect=tcp:127.0.0.1:8000

This will make any connection to your host’s IP addresses on port tcp/8000 to be forwarded to the instance.

Great it works. Thanks…

In my case i had to change the listen Port to 7777, bec. port 8000 is already in use on my system.

incus config device add ubuntu2204 port-8000 proxy listen=tcp:0.0.0.0:7777 connect=tcp:127.0.0.1:8000

That means, if i have in addition a caddy proxy running for ssl letsencrypt, i could direct “forward” to the instance ip and port? If the ip of the instance does not change, of course…?!

Yeah, that should be fine.

The instance IP isn’t very likely to change as it gets a reasonably long DHCP lease from dnsmasq and dnsmasq also tries to keep the IPs as static as possible through some kind of MAC hashing.

Sounds great. I assume the the proxy also can forward none web applications, like ssh, sftp…? To reach for example the instance p22 ssh via port 2222 from the outside…

Yep, it can forward just about anything, also udp, unix sockets, …

Port Forward for hybrid socket 443 tcp+udp for QUIC connections Incus Container

Hi, quick question; I’m attempting to add a port forward using the incus ‘proxy device’ method for http and https web hosting within a container. QUIC connections rely on tcp+udp port 443. Unfortunately im unable to find correct syntax or information relating to confirm or deny if this works.

How do i forward the same port for both UDP and TCP?

I tried entering as separate commands (one rule for tcp and one for udp [443]) but errors with port already in use.

p.s: seems appropriate to ask here and consolidate useful info than create new thread.

stgraber@dakara:~$ incus launch images:alpine/edge a1
Creating a1
Starting a1
stgraber@dakara:~$ incus config device add a1 port-8000-tcp proxy listen=tcp:0.0.0.0:8000 connect=tcp:127.0.0.1:8000
Device port-8000-tcp added to a1
stgraber@dakara:~$ incus config device add a1 port-8000-udp proxy listen=udp:0.0.0.0:8000 connect=udp:127.0.0.1:8000
Device port-8000-udp added to a1
stgraber@dakara:~$ 

The thing that surprised me is when I tried the port proxy, using your example of proxying port-8000 everything worked, in spite of me not opening port-8000 on the Incus server. Shouldn’t I have to open port 8000 on the server?

The only difference between your example and my install is I used a VM with nat=true and everything worked.

(Although I note just today it stopped, thus my question.)

Bill

My understanding is that when you can use nat=true, Incus uses firewall rules to perform the forwarding.

However, if your specific setup does not allow to use nat=true (see documentation earlier), then Incus starts a separate and dedicated process on the host that opens ports on both the host’s network interface, and the container’s network interface (both are visible from the host). You can view this process on the host (I think it’s called forkproxy). The purpose of the process is to facilitate the data transfer between those two network ports.

I guess I just didn’t look deep enough. If i have issues in the future I now have a idea of what to look for. Thanks for the clarification. Bill