I have a pretty default lxc-setup with one host and several containers. One container webfrontend is getting all host-traffic on ports 80 and 443 via DNATing the ports. An nginx on webfrontend decides via vhosts, which container webappX should get the request and proxies the request through to the webappX' private ip:
host:443 <--prerouting--> webfrontend:443 <--nginx--> webappX-private:80
-A PREROUTING -d 80.x.x.x/32 -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.3.100:443
- Host (public): 80.x.x.x
- webfrontend (lxcbr0): 10.0.3.100
- webappX (lxcbr0): 10.0.3.200
- webappY (lxcbr0): 10.0.3.201
- ...
This works fine and allows a central point for letsencrypt-certificates, etc.
However, when webappX needs to access webappY, the connection is refused and the webfrontend never sees the request. I can access webappY on the private ip (from webappX), but I cannot access webappY-public (aka the webfrontend):
root@webappX:~# curl -I http://10.0.3.201
HTTP/1.1 200 OK
[...]
root@webappX:~# curl -I http://webappY.example.com
curl: (7) Failed to connect to webappY.example.com port 80: Connection refused
root@webappX:~# nslookup webappY.example.com
[...]
Name: webappY.example.com
Address: 80.x.x.x
Forwarding between the containers are given:
*filter
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
So far, I've tried setting POSTROUTING-rules and OUTPUT-rules on eth0 and lo without success.
Any ideas?
DNAT
rules, mainly because the traffic comes from another interface thaneth0
. However, I’m not sure that’s all.