Home
Downloads
Community
Submit
Marketplace

The Iso Zone

iptables rules for two different lxc containers

All things Linux!

iptables rules for two different lxc containers

Postby yuanyin » Mon Dec 04, 2017 9:48 am

Hi to all, ask some help for my question.
The situation is following,
I'm followed my theory and until now I have the following: I'm running two lxc containers onto a VPS10 machine and being new in iptables area Im trying to create rules to forward external traffic into containers. The first one (192.168.1.2) is running an openvpn server while the second one (192.168.1.4) is running a web server.
Until now i used only the openvpn lxc and had these iptables rules for forwarding the traffic:

Code:
# Generated by iptables-save v1.4.21 on Fri Apr 28 16:07:58 2017
*filter :INPUT ACCEPT [1189211:150089991] :FORWARD ACCEPT [902865:826112449] :OUTPUT ACCEPT [1324099:212970374] COMMIT
# Completed on Fri Apr 28 16:07:58 2017
# Generated by iptables-save v1.4.21 on Fri Apr 28 16:07:58 2017
*nat PREROUTING ACCEPT [36:1998] :INPUT ACCEPT [17:858] :OUTPUT ACCEPT [0:0] POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A POSTROUTING -o eth0 -j MASQUERADE COMMIT
# Completed on Fri Apr 28 16:07:58 2017
Now, that I want to set up the web server, i added this iptables rule in order to forward http traffic to web server container.

Code:
iptables -t nat -A PREROUTING -p tcp -m conntrack --ctstate NEW --dport 80 -j DNAT --to-destination 192.168.1.4:80
The thing is that while the forwarding to port 80 seems to work (I can visit nginx's welcome page), openvpn clients doesn't have proper internet connection (although they can ping outside world). And by this, I mean that sites loads very slow and some others don't load at all ( It seems that http traffic is getting lost somewhere). If I remove the above rule everything in the openvpn client connection is working as expected but i loose the http server.

P.S : The final rules are these
Code:
# Generated by iptables-save v1.4.21 on Fri Apr 28 16:39:24 2017
*filter
:INPUT ACCEPT [1190228:150215153]
:FORWARD ACCEPT [902877:826113261]
:OUTPUT ACCEPT [1325229:213163664]
COMMIT
# Completed on Fri Apr 28 16:39:24 2017
# Generated by iptables-save v1.4.21 on Fri Apr 28 16:39:24 2017
*nat
PREROUTING ACCEPT [1:44]
:INPUT ACCEPT [1:44]
:OUTPUT ACCEPT [0:0]
POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 28 16:39:24 2017
Are the rules that I've set right ? Is there any way to use both of these protocols without the mentioned conflicts? Any hint is welcome.

Thank you.
  • 0

yuanyin Newbie
 
Posts: 2
Joined: Mon Dec 04, 2017 9:10 am
Reputation: 40

Return to Linux



Who is online

Users browsing this forum: No registered users and 1 guest



Home | Legal Notice | DMCA Policy | DMCA File Removal Center | Contact