Nick

Asked: 2018-11-12 23:45:34 +0800 CST2018-11-12 23:45:34 +0800 CST 2018-11-12 23:45:34 +0800 CST

What is standard way to forward port from host to LXC container?

I am researching LXC containers. When I do verth network, libvirtd creates some iptables rules:

[root@VM ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 61 packets, 6229 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            10.0.0.0/24          ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       10.0.0.0/24          0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 34 packets, 4693 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68

and NAT:

[root@VM ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 5 packets, 812 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 5 packets, 812 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1 packets, 72 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 72 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       10.0.0.0/24          224.0.0.0/24        
    0     0 RETURN     all  --  *      *       10.0.0.0/24          255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       10.0.0.0/24         !10.0.0.0/24          masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       10.0.0.0/24         !10.0.0.0/24          masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24

I know I can forward port in following way:

iptables -t nat -A PREROUTING -p tcp -i enp0s3 --dport 81 -j DNAT --to-destination 10.0.0.10:22

iptables -I FORWARD -p tcp -d 10.0.0.10 --dport 22 -j ACCEPT

Important thing is I need to inject second rule at the top of the chain.

I am wondering, how to do this port forwarding in "standard" way. I tried using hook, but the hook was never called.

I tried hook as:

/etc/libvirt/hooks/qemu
/etc/libvirt/hooks/lxc
/etc/libvirt/hook/qemu
/etc/libvirt/hook/lxc

What is standard way to forward port from host to LXC container?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

What is standard way to forward port from host to LXC container?

0 Answers