0

I'm dealing with LXC, iptables and route, and at this point I'm not even sure what I'm doing anymore. For the sake of simplicity, every policy in iptables is set to ACCEPT and forwarding is set to 1 in sysctl.conf in each host or container.

My goal here is to be able to pass a ping request through an LXC container, from outside of its host. Let me clarify this:

Let's say I have a client C, who wants to ping a server S, but I have a gateway G in between, and an LXC container L within G.

C (eth0 192.168.0.3/24) <---> (eth0 192.168.0.2/24) G (eth1 192.168.1.3/24) <---> (eth0 192.168.1.4/24) S

then, inside G we would have :

(eth0 192.168.0.2/24) <---> (virbr0 10.0.0.2/24) L (virbr1 10.0.1.3/24) <---> (eth1 192.168.1.3/24)

So basically, I'd like to ping S from C but in such a way that the request must transit through L (and therefore through G), using iptables and route.

Hope you can help me out !

MathT
  • 1
  • 1

1 Answers1

0

Could you share your reason for doing this? Is this for monitoring? Routing through a NAT is unnecessarily convoluted.

I suggest setting up a bridged network, rather than a NAT-ed one, where:

  1. virbr0 is bridged with eth0
  2. virbr1 is bridged eth1

This way, your LXC host can sport an IP address of 192.168.0.x and 192.168.1.x (ie. in the same subnet as eth0 and eth1).

Once that is done, create routing entries in both the server and client, using the LXC host as the router. Essentially L replaces G.

Let's assign 192.168.0.10 and 192.168.1.10 to L. The routed network will look like this:

C (192.168.0.3) <--> (192.168.0.10) L (192.168.1.10) <--> S (192.168.1.4)

Let me know if this works for you before I post the full answer. It's quite a bit of configuration.

Eugene Chow
  • 1,688
  • 1
  • 11
  • 18