Hello. I want to map a host user with a root user in some LXC container, so when someone tries to log in to host, he will be redirected to a shell inside of his container. Are there any solutions?
Hi!
The typical way would be to forward any connections to, let’s say, port 22 on the host to port 22 on container honeypot1
.
I think you have something specific in your mind and it might help if you talk about it a bit.
I’m trying to forward port 22 on some LXC container to port 22 on host.
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 10.31.169.233:22
But unfortunately, when I try to connect to host via SSH (port 22) there is an error:
ssh: connect to *** port 22: Connection refused
You would need to verify each parameter of iptables
to make sure they are correct.
It is a common issue for something not to work.
When I want to create iptables
rules for forwarding, I do them like this:
PORT=22 \
LXD_HOST_IP=your_lxd_public_ip \
CONTAINER_IP=your_container_ip \
HOST_NETWORK_INTERFACE=eth0 \
\
sudo -E bash -c 'iptables -t nat -I PREROUTING \
-i $HOST_NETWORK_INTERFACE -p TCP -d $LXD_HOST_IP --dport $PORT -j DNAT \
--to-destination $CONTAINER_IP:$PORT \
-m comment --comment "forward to a LXD container"'
When LXD 3.0 is released in a month or so (with Ubuntu 18.04), it would be possible to use LXD instead of iptables
. LXD 3.0 has a proxy
device which is different from iptables
, and it would be much easier to set up.
I have LXD 3.0 installed. How to use a proxy device?
See https://github.com/lxc/lxd/blob/master/doc/containers.md#type-proxy
For example,
lxc config device add mycontainer myproxydevice proxy listen=tcp:MY_HOST_IP_ADDRESS:22 connect=tcp:10.31.169.233:22 bind=host
To view the proxy
device, run
lxc config device show mycontainer
Make sure you have removed the iptables
rule (i.e. sudo iptables -t nat -F
).
PORT=22 \
LXD_HOST_IP=your_lxd_public_ip \
CONTAINER_IP=your_container_ip \
HOST_NETWORK_INTERFACE=eth0 \
\
sudo -E bash -c 'iptables -t nat -I PREROUTING \
-i $HOST_NETWORK_INTERFACE -p TCP -d $LXD_HOST_IP --dport $PORT -j DNAT \
--to-destination $CONTAINER_IP:$PORT \
-m comment --comment "forward to a LXD container"'
Unfortunately, this rules don’t have any effect.
That was a single iptables
rule. It’s up to you to make sure that the end-points are correct.
Thank you. I solved this problem by using a proxy device.