Hi I am currently using post routing and pre routing rules to bind traffic in and out from specific public ip’s to individual lxc containers
Is there a better way to do this?
Or how can I disable lxc from creating the post routing rule “generated for LXD network lxdbr0”
As a quick fix I have been running this command
sudo iptables -t nat -D POSTROUTING $(sudo iptables -t nat -L -n -v --line-numbers | grep “generated for LXD network lxdbr0” | awk ‘{print $1}’)
any help would be appreciated!
Are you wanting to use snat still so the containers have private ips or are you seeking to have the public ip inside the container?
I’m currently using the following to keep traffic bound to specific containers
Prerouting
1 0k 0M DNAT all – * * 0.0.0.0/0 139.xxx.xxx.xx0 to:10.197.162.238
2 0k 0M DNAT all – * * 0.0.0.0/0 139.xxx.xxx.xx1 to:10.197.162.239
Post routing
0 0 SNAT all – * * 10.197.162.238 0.0.0.0/0 to:139.xxx.xxx.xx0
0 0 SNAT all – * * 10.197.162.239 0.0.0.0/0 to:139.xxx.xxx.xx1
But the lxd keeps creating a masquerade rule that is higher priority then the postroute rules I’ve set
Do you need the public ips defined on your LXD host? I.e are you using them for other services on the LXD host?
If not you could consider using the ‘routed’ nic type to bind the public ips directly inside the container and avoid the need for Nat entirely.
The public ip’s are not used on the lxd host, the public IPs are only used by the containers with a 1 to 1 mapping.
Theres some examples of routed nic here Lxd "routed" interface config - problem w Ubuntu 20.04 Host and WiFi
sorry for butting in but I always hate to assume something.
I recently spent more time with iptables & lxd that I ever expected to and learned alot about iptables I never knew before.
I was having problems with changes i was making being lost on reboot but upon reading more I saw one more surprise iptables had for me.
I am using ubuntu 20.04 and although iptables is installed “iptables-persistent” wasn’t.
$ sudo apt install -y iptables-persistent
This fixed my problem with losing changes I’d made after reboots.
Brian
Thanks for this!
This hasn’t been my issue so far, the lxd is updating its own post routing periodically.
Thanks for the link, I am reading this that has a 0.0.0.0/0 binding which would not restrict outbound traffic. Correct?
not sure if I understand that but I don’t think that would achieve
container_a <-> public__ip_a
container_b <-> public_ip_b
container_c <-> public_ip_c
There is no bindings. You wont see the containers public ips on the LXD hosts network interface, nor will you see any Nat rules for your containers.
The network interface inside your container will have your actual public ip, and your LXD host will advertise that to the wider external network using proxy ARP, so that your LXD host will behave as a layer 3 router.