Lxbr0 outgoing ip

appcoders · February 6, 2019, 9:37pm

I got LXD 3.0.3 on Ubuntu 18.04 running with multiple containers.
All containers using lxdbr0 bridge.
The bridge uses ens3 interface which has 3 ip-addresses assign via netplan, lets call them
A) 123.123.123.123
B) 21.21.21.21
C) 45.45.45.45

Now with IP tables I route traffic on certain IP/ports combinations to the containers. All fine. But the containers use always IP A) for outgoing traffic. But I need certain containers to use B) or C) as outgoing IP. I tried with a POSTROUTING rule and iptables

chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.249.6.0/24       !10.249.6.0/24        /* generated for LXD network lxdbr0 */
SNAT       all  --  10.249.6.32          anywhere             to:45.45.45.45

I think the default masquerade rule overrides this.

Is there a way to provide multiple bridges that use certain IPs for outgoing traffic? I do not want to have the container to get the PUBLIC ip internally (macvlan) - as described on simos blog.

stgraber · February 7, 2019, 7:21pm

You can turn off LXD’s management of iptables in the network config, then do it yourself in a separate firewalling script on your system, that’d let you do the appropriate SNAT for outgoing traffic.

appcoders · February 7, 2019, 7:29pm

Hi Stephane,

thanks. I took the path with the SNAT rules but was not aware that I can turn LXDs management of iptables off.

So

lxc config set ip4.firewall false
lxc config set ip6.firewall false

would be sufficient? Thanks.

stgraber · February 7, 2019, 11:31pm

It would be lxc network set lxdbr0 ipv4.firewall false but yes, that’s the idea.