Nat with source address


To do nat with lxd just use config device add, it’s really very practical

lxc config device add myct http proxy nat = true listen = tcp:x.x.x.x: 80 connect = tcp: 80

This command gives me this iptables rule:

-A PREROUTING -d x.x.x.x / 32 -p tcp -m tcp --dport 80 -m comment --comment "generated for LXD container myct (http)" -j DNAT --to-destination

How to add a control on the source (-s x.x.x.x) so that the rule becomes

-A PREROUTING -s x.x.x.x -d x.x.x.x / 32 -p tcp -m tcp --dport 80 -m comment --comment "generated for LXD container myct (http)" -j DNAT --to-destination

I searched in the documentation but I can’t find how to do it

This isn’t something we support currently.

What are you trying to achieve?

for security or filtering reasons it may be important to limit access to nat ports to defined source ip

for security a workaround is to define accept / deny rules in the container, but it would be more practical and readable if the nat rule could limit the source ip

simple example :
I want to nat port 389 to the container blabla but limit access to the public ip x.x.x.x only so as not to expose the ldap directory to the whole web, like
-A PREROUTING -s x.x.x.x/32 -p tcp -m tcp --dport 389 -j DNAT --to-destination 10.x.x.x:389

other exemple:
I want to route port 21 to multiple containers

  • source ip to container1 port 21
  • source ip to container2 port 21
  • source ip to container3 port 21

I hope my English was not too incomprehensible …

I think this would be best posted at as an idea that we can discuss further based on your prescribed use case.

It maybe that adding this to the proxy device isn’t ideal (because it would only be relevant when using nat=true) and instead maybe we add it to the the “network forwarding” feature (Network Forwards | LXD) .

Thank you for your comments :slight_smile:
I will post my request on