How to get users real IP in LXC container?

Hello, i have following problem:

My host is Debian 10 (176.12.0.1), running last LXC with multiple containers. One of them running NGINX web server (176.12.0.50). To access the NGINX i do port forward with iptables, as follows:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 172.16.0.50:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 172.16.0.50:443

It’s working well, with only one little BIG problem, real user IP addresses are logged as 176.12.0.1.
Is there any way to pass users real IP to LXC container?

Thanks for every help!

Please can you show the output of iptables-save.

Thanks for your reply!

There is IPTables:

# Generated by xtables-save v1.8.2 on Wed May  6 13:20:18 2020
*filter
:INPUT ACCEPT [471861:104766683]
:FORWARD ACCEPT [376994:3312461948]
:OUTPUT ACCEPT [538450:145073247]
-A FORWARD -d 172.16.0.50/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 172.16.0.50/32 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Wed May  6 13:20:18 2020
# Generated by xtables-save v1.8.2 on Wed May  6 13:20:18 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 116.XXX.XXX.XXX/32 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.50:80
-A PREROUTING -d 116.XXX.XXX.XXX/32 -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.16.0.50:443
-A PREROUTING -s 138.XXX.XXX.XXX/32 -i eth0 -p tcp -m tcp --dport 29015 -j DNAT --to-destination 172.16.0.10:29015
-A PREROUTING -s 138.XXX.XXX.XXX/32 -i eth0 -p tcp -m tcp --dport 28015 -j DNAT --to-destination 172.16.0.10:28015
-A PREROUTING -s 51.XXX.XXX.XXX/32 -i eth0 -p tcp -m tcp --dport 28015 -j DNAT --to-destination 172.16.0.10:28015
-A PREROUTING -i eth0 -p tcp -m tcp --dport 7788 -j DNAT --to-destination 172.16.0.51:7788
-A PREROUTING -i eth0 -p udp -m udp --dport 7788 -j DNAT --to-destination 172.16.0.51:7788
-A POSTROUTING -o br0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/24 ! -d 172.16.0.0/24 -j MASQUERADE
COMMIT
# Completed on Wed May  6 13:20:18 2020
# Generated by xtables-save v1.8.2 on Wed May  6 13:20:18 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o br0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed May  6 13:20:18 2020

If requered, ip a output as well:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a8:a1:59:0f:0a:c4 brd ff:ff:ff:ff:ff:ff
    inet 116.xxx.xxx.xxx/26 brd 116.xxx.xxx.xxx scope global eth0
       valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.1/24 scope global br0
       valid_lft forever preferred_lft forever
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
32: vethRKPSYX@if31: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether fe:d2:de:65:06:aa brd ff:ff:ff:ff:ff:ff link-netnsid 0
34: veth9QTO34@if33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether fe:d7:0a:81:44:20 brd ff:ff:ff:ff:ff:ff link-netnsid 1
36: vethCJAYAU@if35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether fe:98:5f:9a:44:4a brd ff:ff:ff:ff:ff:ff link-netnsid 2
46: vethK0DPNW@if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether fe:a0:98:c1:0d:2c brd ff:ff:ff:ff:ff:ff link-netnsid 3
50: veth4TBP4F@if49: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether fe:d5:9a:d8:98:8b brd ff:ff:ff:ff:ff:ff link-netnsid 4

Thanks!

It is this line that is doing it. You’re asking iptables to SNAT to the host’s IP for all traffic going out of br0 (i.e leaving the host and going to the containers).

Okay, removing that line did the trick and i now see all users IP’s in the log.
Will it possibly break anything if i remove that line? Or should it be replaced by something else?

That one was automatically added by LXC-NET.