3

I'm using LXC containers. Each one of my containers have an ip address in 10.0.3.0/24. I want the packets that come into my host on a certain port to be redirected to a container so I use this rule:

iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 10.0.3.4:3000

This allow to do (outside packet)# --> HOST:3000 --> CONTAINER:3000

It works great. However, when I'm inside a container (not the one used in this previous rule), and I want to access another host (say HOST2) on port 3000, my packet is being redirected to my container. It does:

(inside container packet) # --> HOST2:3000 --> HOST:3000 --> CONTAINER:3000

instead of (inside container packet) # --> HOST2:3000 --> HOST:3000 --> HOST2:3000

I tried to change my rule above to 

iptables -t nat -A PREROUTING -s 10.0.3.0/24 -p tcp --dport 3000 -j DNAT --to-destination 10.0.3.4:3000

in order to say: if packet come from a container, don't apply the rule, however this doesn't work. Any help would be great, Regards

Here are my iptables rules:

Chain PREROUTING (policy ACCEPT 154 packets, 29925 bytes)
pkts bytes target     prot opt in     out     source               destination         
4   240 DNAT       tcp  --  *      *       10.0.3.0/24          0.0.0.0/0            tcp      dpt:3000 to:10.0.3.5:3000
3   180 DNAT       tcp  --  *      *       10.0.3.0/24          0.0.0.0/0            tcp   dpt:3001 to:10.0.3.6:3001

Chain INPUT (policy ACCEPT 126 packets, 28400 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 25 packets, 1900 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 29 packets, 2140 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   28  1525 MASQUERADE  all  --  *      *       10.0.3.0/24         !10.0.3.0/24

By doesn't work I mean that when I curl 3000 any hosts from within a container, I'm redirected to my container:3000

rmonjo
  • 231
  • 2
  • 4
  • 12
  • Can we see the whole of your nat table, with `iptables -t nat -L -n -v` (edit the output into your question)? Also, what do you mean by "*this doesn't work*". – MadHatter Nov 15 '13 at 11:25
  • Thx, I updated my question – rmonjo Nov 15 '13 at 11:51
  • Hum I not using the `-s` option correctly. It says apply the rule only for 10.0.3.0/24. How do I say apply the rule expect for ? – rmonjo Nov 15 '13 at 11:58
  • Sorry, I can't understand that last question. The `-s` flag says the rule applies to traffic **from** a particular range of IP addresses (`-s` = `--source`), and it looks like it's working fine, to me. – MadHatter Nov 15 '13 at 12:03
  • my `-s` flag is set to `10.0.3.0/24` which is containers ip address. But I want this rule to be applied to everyone but not to the containers. My `-s` flag should be something like `-s everything except 10.0.3.0/24` – rmonjo Nov 15 '13 at 12:07
  • Try `! -s 10.0.3.0/24`. You may need to protect the `!` from the shell with a backslash, or by quoting it. – MadHatter Nov 15 '13 at 12:14
  • OK, I'll post that as an answer so you can accept it, and the question will be "done and dusted". – MadHatter Nov 15 '13 at 12:20

1 Answers1

8

The -s flags selects only that traffic that matches the host or network specified. If you want to match all traffic except that, use

! -s 10.0.3.0/24

and don't forget to escape that ! from the shell with either quotes or a backslash.

MadHatter
  • 79,770
  • 20
  • 184
  • 232