Share public ip and network with containers

I need to share my public ip with my containers and connect to them directly, that the connection is direct to the containers by port, without using iptables. I was investigating and the request could be to configure the host mode network? Can someone explain to me if it is the right way.

Take a look at the router veth mode.

Search for “router” in Linux Containers - LXC - Manpages - lxc.container.conf.5


Configure host’s sysctls as follows:

# Router
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1

Then use this LXC container network config:

# Network configuration = veth = router = 1 = <parent external interface> = up = eth0 = = fe80::1 = <external IPv4>/32 = <external IPv6>/128

These settings help me to connect directly to the container outside the Host? I do not want to address ports with iptables, proxy etc etc … I want a direct connection to the container through a port … for axis in the container assign the ssh port 2201 … And connect directly to the container through that port using a public ip that it has my Host …

Sounds like (the easiest way) you want to setup reverse tcp proxy on your host (that will forward wherever you like into you container(s)). You can try: ‘socat’ or ‘nginx’ (can forward raw tcp or udp streams).

@DEKKOxD The “router” veth mode will pass an entire public IP into your container, making it directly addressable.

If you only have 1 IP that you are sharing with multiple containers and the host, then you’ll need to use something like iptables DNAT, a reverse proxy (such as @keidii suggested).

If you want the containers to share the same network namespace as the host, I believe that can be done using[i].type = none, but it does come with limitations:

none: will cause the container to share the host’s network namespace. This means the host network devices are usable in the container. It also means that if both the container and host have upstart as init, ‘halt’ in a container (for instance) will shut down the host. Note that unprivileged containers do not work with this setting due to an inability to mount sysfs. An unsafe workaround would be to bind mount the host’s sysfs.

You’ve not explained why you don’t want to use something like iptables DNAT, as this seems to me to be the simplest approach and doesn’t require any additional processes running, nor does it cause the source address of the request to be lost (such as would occur if you used something like a reverse proxy).