...
macvlan with Additional IP - allows you to have, a dedicated network interfaces (to the outside world) but actually only use one real physical network card. Unlike using a bridge this will not have the cpu overhead and need for your network card to work in promiscuous mode. This article builds on the work done in the introductory LXC article.
I actually use both techniques together.
...
You might want to use one IP Address on the host and then map specific ports out from the containers. As a pre-requisite you will need to setup Static LXC Assigned IP address.
There are a number of ways to do this but I favour iptables.
...
Code Block | ||
---|---|---|
| ||
netstat -an | grep LISTEN | grep 80 tcp6 0 0 fe80::2cd7:eff:fea3::53 :::* LISTEN |
Next determine your hosts network card name associated with the hosts IP address,
Code Block | ||
---|---|---|
| ||
ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0d:3a:02:e6:8a
inet addr:10.0.0.4 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20d:3aff:fe02:e68a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:964479 errors:0 dropped:0 overruns:0 frame:0
TX packets:1199824 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:333377198 (333.3 MB) TX bytes:1757835361 (1.7 GB)
# ... more get's displayed |
In this case, I know my host's public IP6 address (put reference of how to convert to ip4 or reverse lookup on dns IP6 address) is fe80::20d:3aff:fe02:e68a/64 and see it as the first entry. This let's us know the network card name is eth0. In Ubuntu it will normally be eth0 or ens33.
While on the host issue these commands, (TBD, look at making own named chain to distinguish the rules)
...
Now traffic on port 80 on the host will be forwarded to port 80 in the container IP specified. You can see your rules, (note I got to try below review output again on a clean machine).
Code Block | ||
---|---|---|
| ||
sudo iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 15 packets, 957 bytes) pkts bytes target prot opt in out source destination 1 64 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.3.10:80 Chain INPUT (policy ACCEPT 1 packets, 229 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 695K 53M MASQUERADE all -- * * 10.0.3.0/24 !10.0.3.0/24 |
...