One-to-one mapping of port range from Hardware Node to VZ Containers with iptables

Question

At anytime I have about 3-4 VZ containers on a server(the Hardware Node on CentOS6). I have webservers, ssh, mail, etc running on the different Containers. From another host in the network, they are accessed as ip.of.hardware.node:port and iptables forwards them with a rule in the nat table.

To explain what I really want:
Assume my Container IDs are 2, 3, 4. And their IPs respectively are 192.168.0.2, 192.168.0.3, 192.168.0.4.
I want a setup where in if anyone accesses ip.of.hardware.node:2080, the connection should be forwarded to 192.168.0.2:80.
Similarly:
ip.of.hardware.node:2022 => 192.168.0.2:22 (ContainerID: 2)
ip.of.hardware.node:3022 => 192.168.0.3:22 (ContainerID: 3)
ip.of.hardware.node:4080 => 192.168.0.4:80 (ContainerID: 4)
ip.of.hardware.node:4443 => 192.168.0.4:443 (ContainerID: 4)
... and so on.

This way, each Container gets a block of 1000 ports to work in. Is there a way to achieve this without specifying 1000 rules for each Container?

Answer 1

On the hardware node, you would need to create an IPtables DNAT rule for each forwarded service you want.

Using your example scenario:

iptables -t nat -A PREROUTING -p tcp --dport 2022 -i eth0 -j DNAT --to-destination 192.168.0.2:22
iptables -t nat -A PREROUTING -p tcp --dport 3022 -i eth0 -j DNAT --to-destination 192.168.0.3:22
iptables -t nat -A PREROUTING -p tcp --dport 4080 -i eth0 -j DNAT --to-destination 192.168.0.4:80
iptables -t nat -A PREROUTING -p tcp --dport 4443 -i eth0 -j DNAT --to-destination 192.168.0.4:443

If you plan on deploying many more containers and services, you could script the creation of these rules based on your port conventions.