0

Almost embarrassed to post this but it's one of the few times I can't put in to words (properly) what I'm trying to do and Google it.

I have a hosted Ubuntu server with two public IPs. The host machine will have some services available to it and then I have LXC containers setup with their own private /24 and masqueraded out.

The problem is that everything funnels through the primary public IP and I need all traffic coming from the LXC containers to come from the secondary public IP while leaving the host traffic alone.

Here's the layout:

eth0   1.1.1.2/24 gateway of 1.1.1.1

eth0:1 1.1.1.3/24

lxcbr0 10.0.3.1/24

iptables (current):

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.0.3.0/24         !10.0.3.0/24

I tried:

iptables -t nat -I POSTROUTING 1 -s 10.0.3.0/24 -o eth0:1 -j SNAT --to-source 1.1.1.2

and

iptables -t nat -I POSTROUTING 1 -s 10.0.3.0/24 -o lxcbr0 -j SNAT --to-source 1.1.1.2

To no avail. I'm sure I'm doing it wrong as I'm not as well versed in iptables as other firewalls.

Matt
  • 3
  • 2

1 Answers1

1

Assuming the secondary IP is really 1.1.1.3 and not 1.1.1.2 (your examples are confusing, else below just replace the IP by the other), this rule should work:

iptables -t nat -I POSTROUTING -s 10.0.3.0/24 -o eth0 -j SNAT --to-source 1.1.1.3

Most tools won't care nor know about the use of an alias interface name: you have to supply eth0, not eth0:1 to iptables. Your 2nd attempt can't work as-is: lxcbr0 would be the input interface, but POSTROUTING handles only output interfaces (you could do that using a mark but it's more complex).

To keep it similar to your existing rule, this would also work:

iptables -t nat -I POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j SNAT --to-source 1.1.1.3

Actually you can add your 2nd IP without creating this alias name at all: ip addr add 1.1.1.3/24 dev eth0 (instead of ifconfig eth0:1 1.1.1.3 netmask 255.255.255.0, and without the probably unneeded broadcast). But then only ip addr show dev eth0 would show it, because ifconfig eth0 would most likely not display the 2nd IP. (To be thorough You can even not add this IP at all if you play with proxy arp and routes, handy if you have a whole LAN of public IPs instead of 2)

A.B
  • 11,090
  • 2
  • 24
  • 45
  • Using the second example put me on the best path to date, thank you! 1.1.1.2 and 1.1.1.3 are just examples of primary and secondary public IP addresses. Following normal protocol, shouldn't post real public IP addresses. Thanks again! – Matt Nov 08 '16 at 19:49