I am trying to set up a reverse proxy on my ubuntu 14.04 host so that I can run multiple websites, each in their own LXC container (one day docker but one step at a time). In this example the sites/hostnames are:
ubuntu1.mydomain.com
ubuntu2.mydomain.com
The containers were created with the names ubuntu1 and ubuntu2.
When I try to set up iptables to forward to these hostnames with the following command:
sudo iptables -t nat -A PREROUTING -d ubuntu1.mydomain.com -j DNAT --to-destination 10.0.3.xxx
(10.0.3.xxx is the ip address of the container on the lxc bridge 10.0.3.1) I get the following error:
iptables v1.4.21: host/network `ubuntu1.mydomain.com' not found
Is there a way to workaround this?
Your approach is flawed. You do not want to use the domain names when configuring
iptables
.Your firewall has no notion of which domain a client has resolved to reach your hostsystem. All it sees are the IP address and port number.
If you want to make the containers reachable via a public IP, you need to choose a distinct IP that is available on the external interface and just
There is literally no way to do this without a designated IP for your container.
If you cannot add such addresses, you can use workarounds of mapping specific ports to other ports in the container, e.g.
to make the container's SSH service available via port
10022
.I am not into the statement, that iptables is sound, for this purpose.
As mentioned by Felix, iptables is a firewall.
It's not a ip - routing component.
There are several ways to set up virtual networks on linux.
The most easy way is via configuring virtual ips, e.g.
(which is non persistence and will be gone after reboot) or dnsmasq.
As this is exactly what you are doing (setting up a virtual network for your linux containers),
you should stick to the corresponding documentation. Reverse Proxying again is a totally different topic as this can be done easily with correct dns entries in your dns zone file and Apache HTTP Server, which can map different domain names to different ip's or ports, e.g.
but the proxying is only needed as you want to use linux containers, of course.
For HTTP and HTTPS this will work to get a container reachable from the internet:
This may not be a suitable solution for a lot of web-server/containers though.