I’m deploying this scenario:
Physical host:
- WAN NIC 192.168.1.2/24 gw 192.168.1.1
- LAN NIC bridged (br0) 172.16.1.100/16
- iptables allow NAT traffic and forward DNAT ports
Virtual machine within physical host:
- NIC bridged 172.16.2.100/16 gw 172.16.1.100
- iptables allow NAT traffic and forward DNAT ports
Unprivileged LXC container within VM:
lxc.net.0.ipv4.address = 172.16.2.11/16
lxc.net.0.ipv4.gateway = 172.16.2.100
Physical (iptables) host forwards TCP/1022 port to 172.16.2.100 (=VM)
Physical (iptables) host forwards TCP/11022 port to 172.16.2.100 (=VM)
VM host attends own SSH service on 1022 port
VM (iptables) host forwards TCP/11022 port to 172.16.2.11 (=Container)
Container attends own SSH service on 11022 port
When I enter from Internet to VM (SSH session; 1022) I can run “w” command and see my session FROM my public Internet address.
The problem: When I enter from Internet to Container (SSH session; 11022) I can run “w” command but I see my session is detected to be FROM the virtual machine (172.16.2.100) instead of real Internet origin.
This is a problem when trying to distinguish visitors origin in a webserver.
What am I doing wrong?