Introduction

By default, your containers are accessible only from the host. For serious use you will want to expose some containers to the outside world. There are various ways of doing this. Currently I have settled on the following,

...

UFW

UFW in the Host

UFW is a great simple firewall, but at this point I do not recommend installing on your host. First, port forwarding is overly complex and seems like a hack versus it being very simple with IP Tables. 

If you insist on using UFW, make sure to change the setting to not drop forwarded packets. I will revisit this later as I do like UFW. Perhaps I can ask the developers to make port forwarding more straight-forward.

UFW in a Container

Also, firewalls as I understand work at the kernel level. So you should not be installing UFW or even IP Tables inside of a container for now.

...

Now traffic on port 80 on the host will be forwarded to port 80 in the container IP specified.

macvlan with Additional IP

For further isolation you may have purchased an additional IP address. In most hosting services this is not expensive, but they will likely not give you a dedicated network card. In this example we purchase an additional static IP from the hosting company and use the same network card as the host.

...

If you had previously assigned a static IP to the container using /etc/lxc/dnsmasq.conf make sure to remove the entry (I believe you also need to restart the host).

macvlan mac address

The first thing to do is to create a mac address for the macvlan interface to be created on the host.

...

Command Line macvlan

(move this section out as a subpage)

...

I believe you must have 1 macvlan mapped to 1 container interface and they all must have different static IP addresses. Need to test. I tried replicating my steps in a new container and though it got the IP address, I could not connect.

Create a Permanent macvlan on the Host

Add to the bottom of the /etc/network/interfaces file,

...

Scenario 2 may or may not in which case we would want to create a scenario 3 by adding an additional macvlan mvlan1.

Connect Container to macvlan on Host

Now one ore more containers may connect to the mvlan0 interface on the host and they will get their IPs directly from the same network connected to the host (if DHCP) or you can assign static IPs inside the container that are reserved for you.

...

Above we now have to interfaces. That static is the public IP address purchased called eth0 and second is the internal LXC assigned address.

Update dnsmasq

Make sure to check your dnsmasq and make modifications accordingly. Using the example since we modified a container that was already using dnsmasq we needed to change the original /etc/lxc/dnsmasq.conf,

...

The container called "web" now has two interfaces. In order for dnsmasq to know which interface to use you must specify the mac address.

Multiple Interfaces

In most cases you will want multiple interfaces. In this example, we built a front-end container called "web", gave it a public IP address using mavlan. In addition, we create an "app" container which has an lxc internal IP address. In order for web and app to communicate, web must have a second interface that also uses an lxc provided internal IP address.

(...draw a diagram here...)

macvtap

This looks promising... The most prominent user of macvtap interfaces seems to be libvirt/KVM, which allows guests to be connected to macvtap interfaces. Doing so allows for (almost) bridged-like behaviour of guests but without the need to have a real bridge on the host, as a regular ethernet interface can be used as the macvtap's lower device.

References

Networking - https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-network

...