I have an Ubuntu 18.04 host with LXD 3.0.3, it has 2 public IPv4. The LXD host runs 2 CTs (srv01 and srv02) connected to a bridge, each using private RFC1918 IPv4s. On the host, I manually NAT (DNAT, SNAT) one public IP to each CT (note: I fwd ports for smtp/imap/pop/web/etc separately).
Each CT runs a mail-server and I would like for them to exchange mail directly, by connecting to eachother’s tcp/25 port on their PUBLIC IPv4 as reported by DNS.
What is the recommended way to configure the LXD host’s iptables, so that it does hairpin NAT between the two CTs’ public IPv4 addresses, without possibly causing issues to LXD?
Thank you in advance, KP
$ lxc network show lxdbr0
config:
ipv4.address: 10.114.29.1/24
ipv4.dhcp.expiry: 192h
ipv4.firewall: "true"
ipv4.nat: "false"
ipv6.address: fd42:xyz:1/64
ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/containers/srv01
- /1.0/containers/srv02
- /1.0/containers/vm01
- /1.0/containers/vm02
managed: true
status: Created
locations:
- none
CT srv01 internal IP 10.114.29.51 and external 95.216.xx.yy
CT srv02 internal IP 10.114.29.61 and external 95.216.ww.zzz
# iptables -L -v -n --line-numbers -t nat
Chain PREROUTING (policy ACCEPT 1061 packets, 78227 bytes)
num pkts bytes target prot opt in out source destination
[...]
11 409K 22M DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.xx.yy tcp dpt:80 to:10.114.29.51:80
12 124K 5743K DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.xx.yy tcp dpt:443 to:10.114.29.51:443
13 430K 24M DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.xx.yy tcp dpt:25 to:10.114.29.51:25
14 157K 8142K DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.xx.yy tcp dpt:110 to:10.114.29.51:110
15 380K 23M DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.xx.yy tcp dpt:143 to:10.114.29.51:143
16 79194 4306K DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.xx.yy tcp dpt:587 to:10.114.29.51:587
17 138K 8263K DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.xx.yy tcp dpt:993 to:10.114.29.51:993
18 38414 1987K DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.xx.yy tcp dpt:995 to:10.114.29.51:995
19 1362 67902 DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz tcp dpt:80 to:10.114.29.61:80
20 701 32292 DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz tcp dpt:443 to:10.114.29.61:443
21 104 4884 DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz tcp dpt:25 to:10.114.29.61:25
22 48 2004 DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz tcp dpt:110 to:10.114.29.61:110
23 42 1752 DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz tcp dpt:143 to:10.114.29.61:143
24 7 400 DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz tcp dpt:465 to:10.114.29.61:465
25 63 2844 DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz tcp dpt:587 to:10.114.29.61:587
26 88 4448 DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz tcp dpt:993 to:10.114.29.61:993
27 59 2624 DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz tcp dpt:995 to:10.114.29.61:995
28 87 5207 DNAT udp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz udp dpt:53 to:10.114.29.61:53
29 18 732 DNAT tcp -- enp0s31f6 * 0.0.0.0/0 95.216.ww.zzz tcp dpt:53 to:10.114.29.61:53
[...]
Chain INPUT (policy ACCEPT 3 packets, 193 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 614 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 469 packets, 19626 bytes)
num pkts bytes target prot opt in out source destination
1 48513 2922K SNAT tcp -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 tcp dpt:25 to:95.216.xx.yy
2 28431 1706K SNAT tcp -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 tcp dpt:53 to:95.216.xx.yy
3 1983 119K SNAT tcp -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 tcp dpt:80 to:95.216.xx.yy
4 20946 1257K SNAT tcp -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 tcp dpt:443 to:95.216.xx.yy
5 0 0 SNAT tcp -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 tcp dpt:143 to:95.216.xx.yy
6 0 0 SNAT tcp -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 tcp dpt:110 to:95.216.xx.yy
7 0 0 SNAT tcp -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 tcp dpt:587 to:95.216.xx.yy
8 0 0 SNAT tcp -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 tcp dpt:993 to:95.216.xx.yy
9 0 0 SNAT tcp -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 tcp dpt:995 to:95.216.xx.yy
10 10M 887M SNAT udp -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 udp dpt:53 to:95.216.xx.yy
11 125K 48M SNAT all -- * enp0s31f6 10.114.29.51 !10.114.29.0/24 to:95.216.xx.yy
[...]
17 0 0 SNAT tcp -- * enp0s31f6 10.114.29.61 !10.114.29.0/24 tcp dpt:25 to:95.216.ww.zzz
18 47 2820 SNAT tcp -- * enp0s31f6 10.114.29.61 !10.114.29.0/24 tcp dpt:80 to:95.216.ww.zzz
19 445 26700 SNAT tcp -- * enp0s31f6 10.114.29.61 !10.114.29.0/24 tcp dpt:443 to:95.216.ww.zzz
20 49 2940 SNAT tcp -- * enp0s31f6 10.114.29.61 !10.114.29.0/24 tcp dpt:53 to:95.216.ww.zzz
21 62960 6068K SNAT udp -- * enp0s31f6 10.114.29.61 !10.114.29.0/24 udp dpt:53 to:95.216.ww.zzz