this is little
Host (Ubuntu + LXD) with multiple LXC containers.
Each container have own IP Lan address (eg. 10.10.1.141, 10.10.1.137).
Incoming packages - no problem, iptables rules and ok.
but what with outgoing packages? im using SNAT and POSTROUTING and ok! iptables -t nat -I POSTROUTING -s 10.71.85.107 ! -d 10.71.85.0/24 -j SNAT --to-source 10.10.1.141
But after restart host, the first line in POSTROUTING is always: 330 27582 MASQUERADE all -- * * 10.71.85.0/24 !10.71.85.0/24 /* generated for LXD network lxdbr0 */
where can i change this, i need to use SNAT and specific ip address for each container
The default configuration of LXD, with the lxdbr0 managed network device, gives you incoming/outgoing connectivity to the Internet. LXD adds for you the appropriate iptables rules.
It is not clear whether you really want to deviate from this configuration, and what you are doing really differently.
If you really want to do something different, then you do not use the LXD managed network interface, and you perform the configuration on your own. You setup in LXD not to autoconfigure for you the network interface. This is performed in the default profile of LXD (lxc profile edit default). Also, you can remove any managed network devices through the lxc network list commands.
It is really simple what I want to do…
example from live:
one LXD host and multiple container:
DNS (10.10.1.141)
MAIL (10.10.1.138)
Web1 (10.10.1.145)
etc… (network /24)
some container have to go with own IP - specially DNS and Mail.
what you suggested - use different networks for each container?
it is posible to configure networks without iptables, just in lxd?
The default LXD setup (single private network lxdbr0) gives you what you describe here.
I do not understand what you mean with this,
Regarding this question,
It is possible to configure some containers without networking at all.
But to have them do something useful, you would need to create proxy devices.
For example, to expose the web server to the LAN, you would
Also as stated by @simos you can also proxy the connections using the proxy command, or manually build a HAproxy container and forward the ports in to that which then in turn forwards to the “backend” containers.
sorry simos for my english - maybe that is problem.
Try to explain:
When create Virtual Machine on VMware, XEN, FreeBSD Jail, etc. you can attribute IP (public or LAN) for this VM.
All Incoming/Outgoing package have this IP.
It is possible to do this with LXD?
iptables can do this - Prerouting and Postrouting.
But MASQUARADE on first place destroy everything.
Example: if we have Host with 24 Container and all of this Container go to Router with the same IP address from Host. Masquerade do this.
It is possible to create LXD container with dedicated in/out IP address?
i created iptables rules - incoming and outgoing and work fine.
But when restart host (or LXD) the line with MASQUERADE “jump” to the first line and destroy all POSTROUTING.
By doing so, each container gets its own IP address from the LAN, and LXD is not involved at all to give IP. If you want, you can set the IP statically inside the container.
for testing is VM - but in production will be bare metal.
im using your instruction with macvlan and work great (set Promiscuous mode in VMware network config)
Disabled DHCP and after created container just edit (in container) netplan file (ubuntu 18), set IP, Gateway and DNS from my LAN and working, working, working…
Restart LXD host and container again work fine - just like i need.
another question but maybe in different task - in this configuration, container have own iptables? can we run for example fail2ban? i will check it