www.bonsaiframework.com
Page tree

Versions Compared

Old Version 39

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 40

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: More clarify around name of network device.

...

macvlan with Additional IP - allows you to have, a dedicated network interfaces (to the outside world) but actually only use one real physical network card. Unlike using a bridge this will not have the cpu overhead and need for your network card to work in promiscuous mode. This article builds on the work done in the introductory LXC article.

I actually use both techniques together.

...

You might want to use one IP Address on the host and then map specific ports out from the containers. As a pre-requisite you will need to setup Static LXC Assigned IP address.

There are a number of ways to do this but I favour iptables.

...

Code Block
languagebash
netstat -an | grep LISTEN | grep 80
tcp6       0      0 fe80::2cd7:eff:fea3::53 :::*                    LISTEN

Next determine your hosts network card name associated with the hosts IP address,

Code Block
languagebash
ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:0d:3a:02:e6:8a  
          inet addr:10.0.0.4  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20d:3aff:fe02:e68a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:964479 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1199824 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:333377198 (333.3 MB)  TX bytes:1757835361 (1.7 GB)


# ... more get's displayed

In this case, I know my host's public IP6 address (put reference of how to convert to ip4 or reverse lookup on dns IP6 address) is  fe80::20d:3aff:fe02:e68a/64 and see it as the first entry. This let's us know the network card name is eth0. In Ubuntu it will normally be eth0 or ens33.

While on the host issue these commands, (TBD, look at making own named chain to distinguish the rules)

...

Now traffic on port 80 on the host will be forwarded to port 80 in the container IP specified. You can see your rules, (note I got to try below review output again on a clean machine).

Code Block
languagebash
sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 15 packets, 957 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    64 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.0.3.10:80

Chain INPUT (policy ACCEPT 1 packets, 229 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 695K   53M MASQUERADE  all  --  *      *       10.0.3.0/24         !10.0.3.0/24

...