0

i have Ubuntu Server with LXD. Every Container has own IP (local)address. Example: LXD Host: 10.10.1.200, DNS container: 10.10.1.141, LXC inside address: 10.71.85.107

Ok - that no problem, incoming packages are translate:

iptables -t nat -A PREROUTING -d 10.10.1.141 -i ens160 -p udp --dport 53 -j DNAT --to-destination 10.71.85.107:53

and in iptables i have:

254K   18M DNAT       udp  --  ens160 *       0.0.0.0/0            10.10.1.141          udp dpt:53 to:10.71.85.107:53

work fine.

Problem is with outgoing package: I need that outgoing packages from container have the same IP address. The same example: DNS container: outgoing packages should have address 10.10.1.141 So add to iptables this:

sudo iptables -t nat -I POSTROUTING -s 10.71.85.107 ! -d 10.71.85.0/24 -j SNAT --to-source 10.10.1.141

and in iptables i have this:

 166K   13M SNAT       all  --  *      *       10.71.85.107        !10.71.85.0/24        to:10.10.1.141


330 27582 MASQUERADE  all  --  *      *       10.71.85.0/24       !10.71.85.0/24        /* generated for LXD network lxdbr0 */

works fine!

Real problem is when i restart LXD host, then i have this in iptables:

    330 27582 MASQUERADE  all  --  *      *       10.71.85.0/24       !10.71.85.0/24        /* generated for LXD network lxdbr0 */
     166K   13M SNAT       all  --  *      *       10.71.85.107        !10.71.85.0/24        to:10.10.1.141

Masquerade is on the TOP! and all outgoing package have LXD Host address (10.10.1.200) Is any chance to change this? Why LXD always set Masquerade first? Is any chance to change this?

Improve this question

1 Answer 1

Reset to default
0

That's a 2 months old question but as no one gave an answer and google often leads people to any of the Stack* sites, why not giving one.

I am going to focus on the question in the OP. I am completely ignoring the mentioned setup.

Why LXD always set Masquerade first? Is any chance to change this?

Yes, LXC allows you to at least somehow define where it is going to add its rules. Have a look at the Parameter Documentation of LXC-Networking : LXC Network Parameters
The parameter ip4.nat.order defines whether to add lxc NAT rules before or after pre-existing network rules.

You can view networks known to lxc from a shell via lxc network list
Editing a network is done by the command lxc network edit <network name>

Example:

A standard lxc network would be lxdbr0 Therefore just do lxc network edit lxdbr0 and add ip4.nat.order: "after" to the configuration.

config:
  ipv4.address: 10.0.4.1/24
  ipv4.nat: "true"
  ipv4.nat.order: "after"
description: ""
name: lxdbr0
type: bridge
used by:
- /1.0/containers/c1
- /1.0/containers/c2
- /1.0/containers/c3
managed: true
status: Created
locations:
- none

HINT: You can also keep lxc away from doing nat rules by setting ipv4.nat to false. You then need to do the masquerade rule yourself, but there may be use-cases benefiting from a setup like that.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .