On 08/13/2013 10:33:05 AM, Dan Kegel wrote: > On Tue, Aug 13, 2013 at 7:11 AM, Serge Hallyn > <serge.hal...@ubuntu.com> wrote: > > For a container, with ip 10.0.3.100, running a mail server on port > 25, > > the only rule I add is: > > > > iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT > --to-destination 10.0.3.100:25 > > That works, thanks. But it only works as observed from other boxes > on the LAN. What would I have to do to also be able to connect to > the lxc guest service from the lxc host?
Here: http://dvpn.sourceforge.net/old/firewall-rules.txt That's the firewall ruleset I did a decade ago for setting up a cheesy VPN that forwarded all connections for an address range to a daemon running on loopback that would look up the original destination (getsockopt(SO_ORIGINAL_DEST)), figure out which server handled that subset of the address range (comments in /etc/hosts acted as a VPN config file), ssh there, and run netcat to complete the connection. I had to use source NAT _and_ destination NAT, for both local connections and remote connections, in order to make that work. I still find it a handy cheat sheet for beating iptables into submission... Rob ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users