So what is the relationship for ports between the host VPS and it’s containers?
If I have an app running in a container that requires certain ports be open, do the same ports
need to be open on the host? It’s probably a dumb question, but I don’t have a lot of networking experience.
Thanks guys. As I mentioned, I do not have a lot of networking experience, especially with the options you mention. And I don’t know whether to perform these options on the host or the container OS?
the host (the lxc commands are always on the host)
you may have to open ports at the container level however on all containers I have tried from the LXD repos the firewall was off by default. Check with iptables -L.
I have the same port open on both the container and the host. The firewall is on in the container as well as the host. Do I need to do port forwarding from the container to the host?
However if you’re trying to forward a large range of ports then the proxy device probably isn’t suitable, even with nat=true, because the way it works currently is that with nat=false the forkproxy helper program will open a socket on the host for each port being forwarded (which means in your case several thousand ports being opened) and with nat=true the firewall helper in LXD will create a firewall NAT rule per-port combination (so again this would be thousands of rules).
Can you explain a bit more about what you are trying to achieve, and why it is you need to forward so many ports?
A possible approach to this (assuming you do need to forward that many ports rather than just joining the container to the external network) is use a manual firewall DNAT rule.
First you should ensure your container has a predictable IP using:
So basically I have a VPS Ubuntu 18.04 server and two LXD containers. One container is Ubuntu 18.04 server and running HAproxy.
The second container is Ubuntu 18.04 server and hosts a WebRTC Media server. (eventually I will have multiple containers, each hosting a media server).
I am port forwarding ports 80 and 443 to the HAproxy container. I am using the HAproxy to direct the incoming query to the container based on the subdomain, in this case amsc1. In the future I will have additional subdomains of amsc2, amsc3, etc. This is working fine.
If you have a webcam, you will be prompted to allow access. If you allow, then you will see your webcam activated and displaying video. Only you can see this video. This part works fine, but then if you click on the “Start Publishing”, it will appear to be broadcasting, but then stop after 10-15 seconds. This is the problem. I think the problem is ICE/STUN related
but not sure.
In the past, I have seen this same issue with the same media software and when not using containers and the answer was to open ports 5000:65535 and that fixed the problem, but in my case with LXD containers, it does not fix it. So I’m thinking it’s a networking issue?
Also to avoid NAT, if the VPS can assign a second IP to your server, you can possibly use the ip routing feature in LXD and it will proxy arp the IP as if it belongs to the container, so the container basically gets its own Internet IP address. Could be an option, I know voice/video/media don’t play well with NAT usually as they often have embeded IP’s in the packets which don’t get natted as they are in the application layer hence the need for workarounds like stuns and relays.