It took me some time to get this working so it’s time for a blog post:<\/p>\n
Scenario<\/strong> I have two containers.<\/p>\n Container A Container B Host HOST SETUP:<\/p>\n CONTAINER A Setup (static virtual public IP):<\/p>\n CONTAINER B Setup (static NATed private IP):<\/p>\n It took me some time to get this working so it’s time for a blog post: Scenario This was a setup for a server in a data center with a public IP address. The server has one physical interface with a public routable IP address. Additionaly I ordered another public IP address for the server […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[227,224],"tags":[47,210,211,82],"class_list":["post-1609","post","type-post","status-publish","format-standard","hentry","category-linux","category-network","tag-iptables","tag-lxc","tag-nat","tag-netzwerk"],"_links":{"self":[{"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/posts\/1609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/comments?post=1609"}],"version-history":[{"count":9,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/posts\/1609\/revisions"}],"predecessor-version":[{"id":1620,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/posts\/1609\/revisions\/1620"}],"wp:attachment":[{"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/media?parent=1609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/categories?post=1609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/tags?post=1609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nThis was a setup for a server in a data center with a public IP address. The server has one physical interface with a public routable IP address. Additionaly I ordered another public IP address for the server to be used in one of the LXC containers. <\/p>\n
\n„A“ gets a public routable IP-address to be reachable from the internet without NATing<\/p>\n
\n„B“ gets a private IP address and can only be reached thru NAT and port-mappings<\/p>\n
\nHost has 5.5.5.1 as main public IP
\nContainer A has 5.5.5.2 as „virtual“ IP
\nContainer B has 10.10.10.1 as NATed private IP<\/p>\n\r\n\r\n\r\n#NETWORKING CONFIG ON HOST\r\n#\/etc\/network\/interfaces<\/strong>\r\n\r\nauto lo\r\niface lo inet loopback\r\n\r\n\r\nallow-hotplug eth0\r\niface eth0 inet manual\r\n pre-up ifconfig eth0 up\r\n pre-down ifconfig eth0 down\r\n\r\n\r\nauto br0\r\niface br0 inet static\r\n address 5.5.5.1\r\n broadcast broadcast.ip\r\n netmask netmask.ip\r\n gateway gateway.ip\r\n bridge_ports eth0\r\n bridge_fd 0\r\n bridge_maxwait 0\r\n\r\n\r\nauto br1\r\niface br1 inet static\r\n address 10.10.10.100\r\n netmask 255.255.255.0\r\n bridge_fd 0\r\n bridge_maxwait 0\r\n pre-up brctl addbr br1\r\n up iptables -t nat -F POSTROUTING\r\n\r\n # Exclude boxes with static IPs from Natting\r\n up iptables -A PREROUTING -t nat -i br0 -p tcp -s 5.5.5.2 -j ACCEPT\r\n\r\n\r\n # Enable Forwarding for NATed boxes\r\n up iptables -t nat -A POSTROUTING -s 10.10.10.0\/24 -o br0 -j MASQUERADE\r\n\r\n # example PORT FORWARDINGS FOR Mailserver\r\n up iptables -A PREROUTING -t nat -i br0 -p tcp --dport 25 -j DNAT --to 10.10.10.1:25\r\n up iptables -A PREROUTING -t nat -i br0 -p tcp --dport 465 -j DNAT --to 10.10.10.1:465\r\n up iptables -A PREROUTING -t nat -i br0 -p tcp --dport 587 -j DNAT --to 10.10.10.1:587\r\n\r\n # example PORT FORWARDINGS FOR Webserver\r\n up iptables -A PREROUTING -t nat -i br0 -p tcp --dport 80 -j DNAT --to 10.10.10.2:80\r\n up iptables -A PREROUTING -t nat -i br0 -p tcp --dport 443 -j DNAT --to 10.10.10.2:443\r\n\r\n post-down iptables -F\r\n post-down iptables -t nat -F\r\n post-down brctl delbr br1\r\n\r\n\r\n<\/pre>\n
\r\n\r\n#IP forwarding must be enabled in the kernel as well (don't forget reboot)\r\n#\/etc\/sysctl.conf<\/strong>\r\nnet.ipv4.ip_forward=1\r\n<\/pre>\n
\r\nlxc.utsname = containershostname\r\nlxc.network.type = veth\r\nlxc.network.flags = up\r\nlxc.network.link = br0\r\n\r\n# This is the MAC for the public IP i got from my provider\r\n# container gets IP by providers DHCP\r\nlxc.network.hwaddr = 00:11:22:33:44:55\r\n\r\n<\/pre>\n
\r\nlxc.network.type = veth\r\nlxc.network.flags = up\r\nlxc.network.link = br1\r\nlxc.network.ipv4= 10.10.10.1\r\nlxc.network.ipv4.gateway = 10.10.10.100\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"