Port relationship between Host and Container?

So what is the relationship for ports between the host VPS and it’s containers?
If I have an app running in a container that requires certain ports be open, do the same ports
need to be open on the host? It’s probably a dumb question, but I don’t have a lot of networking experience.



there are 2 options:

  • use iptables and create a NAT rule and also a routing rule if default routing is off
  • use a proxy device (LXD feature, see lxc config device --help)

You can use also automate nat rules with the proxy device by setting nat=true

Thanks guys. As I mentioned, I do not have a lot of networking experience, especially with the options you mention. And I don’t know whether to perform these options on the host or the container OS?

Thanks and really appreciate the help.


the host (the lxc commands are always on the host)
you may have to open ports at the container level however on all containers I have tried from the LXD repos the firewall was off by default. Check with iptables -L.

I have the same port open on both the container and the host. The firewall is on in the container as well as the host. Do I need to do port forwarding from the container to the host?

well yes, like said using a NAT iptables rule or the LXD proxy

Any clue how to constuct the iptable rule for forwarding UDP ports 5000-65535?

And thanks for your help. Really appreciate it!


I have this rule in the container and the host:

ACCEPT udp – anywhere anywhere multiport dports 5000:65535

This did not fix my problem.

Adding an ACCEPT rule on the host won’t achieve what you want because the host isn’t where the service is running, it is running inside the container.

If you want to forward a port on the host to the container then the way to do this is usually using a proxy device (see https://linuxcontainers.org/lxd/docs/master/instances#type-proxy).

However if you’re trying to forward a large range of ports then the proxy device probably isn’t suitable, even with nat=true, because the way it works currently is that with nat=false the forkproxy helper program will open a socket on the host for each port being forwarded (which means in your case several thousand ports being opened) and with nat=true the firewall helper in LXD will create a firewall NAT rule per-port combination (so again this would be thousands of rules).

Can you explain a bit more about what you are trying to achieve, and why it is you need to forward so many ports?

A possible approach to this (assuming you do need to forward that many ports rather than just joining the container to the external network) is use a manual firewall DNAT rule.

First you should ensure your container has a predictable IP using:

lxc config device override c1 eth0 ipv4.address=x.x.x.x

Then you can add a rule like this, assuming eth0 is the LXD host’s external network:

iptables -t nat -A PREROUTING -i eth0 -p up --dport  5000:65535 -j DNAT --to x.x.x.x:5000-65535
1 Like

Hi Thomas,

So basically I have a VPS Ubuntu 18.04 server and two LXD containers. One container is Ubuntu 18.04 server and running HAproxy.

The second container is Ubuntu 18.04 server and hosts a WebRTC Media server. (eventually I will have multiple containers, each hosting a media server).

I am port forwarding ports 80 and 443 to the HAproxy container. I am using the HAproxy to direct the incoming query to the container based on the subdomain, in this case amsc1. In the future I will have additional subdomains of amsc2, amsc3, etc. This is working fine.

You can access the server via https://amsc1.streamingworld.us/WebRTCApp

If you have a webcam, you will be prompted to allow access. If you allow, then you will see your webcam activated and displaying video. Only you can see this video. This part works fine, but then if you click on the “Start Publishing”, it will appear to be broadcasting, but then stop after 10-15 seconds. This is the problem. I think the problem is ICE/STUN related

but not sure.

In the past, I have seen this same issue with the same media software and when not using containers and the answer was to open ports 5000:65535 and that fixed the problem, but in my case with LXD containers, it does not fix it. So I’m thinking it’s a networking issue?

Thanks for your time and help.


My container get their IP from DHCP.

Did you try adding a static DHCP assignment using lxc config device override c1 eth0 ipv4.address=x.x.x.x and then the manual iptables DNAT rule?

Please advise on the DNAT rule. On the host VPS or the container itself?

The host, so that it forwards packets from host ip to container ip.

Also to avoid NAT, if the VPS can assign a second IP to your server, you can possibly use the ip routing feature in LXD and it will proxy arp the IP as if it belongs to the container, so the container basically gets its own Internet IP address. Could be an option, I know voice/video/media don’t play well with NAT usually as they often have embeded IP’s in the packets which don’t get natted as they are in the application layer hence the need for workarounds like stuns and relays.

1 Like

I have not had the chance yet as I actually work from home and this is something I am experimenting with in my spare time.

I will respond after I try it.

In the mean time I appreciate your’s and Jon Clayton suggestions and help. It would be awesome if I can get this to work.


I get this error for the iptables command:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5000:65535 -j DNAT --to
iptables v1.6.1: Invalid port:port syntax - use dash

Never mind. use dash instead of : :slight_smile:


Wow…it seems to be working! No more aborting and I am now generating Http Live Streamng!
I’m about to pee myself with joy! I owe you dude!

here’s what I did:
lxc config device override AMSC1 eth0 ipv4.address=
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5000:65535 -j DNAT --to

But I see a problem ahead. If I add another container to replicate the same functionality, how do I
route to the correct container?


1 Like