Is there a way to port forward from Host to a nested container?

I have a use-case like this:

|___ cn1___ cn2 (nested in cn1)

I created CN1 using ubuntu bionic

CN1 was setup with:
“security.nesting true”
snap LXD installed
when I did LXD INIT I told it NOT to create an lxdbr0 bridge and instead to use ETH0
which then gave any “nested” container inside CN1 an IP address on the same 10.x.x.x subnet as CN1 itself

I created CN2 (ubuntu bionic)
CN2 was setup with:

  • apache2 installed in it
  • ufw allow 80

Host IP =
CN1 IP =
(nested) CN2 IP =

What I’d like to have happen is I’d like any traffic to Port 80 of the Host to be forwarded to the nested CN2’s Port 80

Port 80 on the CN2 nested container is OPEN as an NMAP on the Host shows:

$ nmap -p 80

Starting Nmap 7.60 ( ) at 2018-12-17 15:55 UTC
Nmap scan report for
Host is up (0.00021s latency).

80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Back on the Host I figured LXD’s device proxy would not help for forwarding a Host port to a “nested” CN2 container.

So figured device proxy wouldn’t help as I can’t use it to for this so I used the following on the host:

On the Host:

sudo ufw allow 80
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to

Then running a browser on another machine and pointing it to the Host IP

I get an Unable to Connect message? So maybe my iptables syntax is wrong?

So I thought I’d ask if anyone has any idea how this might be accomplished?

thanks for any tips

1 Like


this works but its not quite as elegant as I’d like. Basically doing a “chained” lxc config device add works.

In the Host:

lxc config device add cn1 myport80 proxy listen=tcp: connect=tcp:localhost:80


lxc exec cn1 bash

and repeat the same here as in the Host except specify CN2:

lxc config device add cn2 myport80 proxy listen=tcp: connect=tcp:localhost:80

Now any other machine that points their browser to this Host’s IP address will get forwarded instead to the Nested CN2 container’s Apache server.

If anyone comes up with a better/easier method though I’d be happy to learn :slight_smile: