MASQUERADE rule added by lxc


(Yuri Kanivetsky) #1

The rule goes as follows:

iptables -t nat -A POSTROUTING -s ! -d -j MASQUERADE

Why the ! -d part? I thought it’s to suppress NAT for intercontainer communication, but:

iptables -t nat -A POSTROUTING -s -j MASQUERADE

makes no visible difference. I run

tcpdump icmp

in one container (,

ping -c

in the other one ( And tcpdump says:

(Stéphane Graber) #2

It is to prevent NAT from affecting inter-container traffic.

By default iptables does not trigger on traffic between bridge members, but it’s something that can be enabled system-wide, in which case that part of the rule becomes quite useful.