[SOLVED] DNAT Inside a LXC Container not working

Tonio- · 07-06-2017, 08:40 PM

Hello,

I have a LXC container (managed by Proxmox VE) that have a dedicated IP (IP Failover at OVH.net).
I want to set a DNAT rule to transfer the traffic from one port to another container. (in order to create a SSH connection in the other container that doesn't have a public IP)

Code:

-A PREROUTING -i eth0 -p tcp -m tcp --dport 2102 -j DNAT --to-destination 192.168.1.10:22 # My other Container IP


-A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT --to-source 1.1.1.1 # My public IP
-A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE

But this is not working (I have an infinite delay when I try to connect through SSH.
The weird part is that if I set the same rule in the physical server, it's working.

Does anyone have an idea of what can I change to solve this issue ?

Thanks!
Tonio-

lazydog · 07-07-2017, 01:34 PM

First your 2 rules for POSTROUTING are going to be as problem. Only the first one is ever going to match making the second one useless. If I'm thinking right about what you are trying to do you are going to have to change your rules a bit. I'm assuming that you want traffic to 192.168.1.10 to be natted to your private ip address of 192.168.10.x that you have set on that interface. Give this a try:

Code:

-A POSTROUTING -d 192.168.1.10 -o eth1 -j MASQUERADE
-A POSTROUTING -o eth1 -j SNAT --to-source 1.1.1.1

If the packet leaving eth0 is destine for 192.168.1.10 the packet will be MASQed.
Else SNAT all traffic leaving eth0 to the public IP.

IPTABLES matches top down and executes the first exact match. If all traffic leaving the interface is going to have a source of 192.168.1.x then you really do not need to use the '-s 192.168.1.0/24'

Tonio- · 07-07-2017, 07:14 PM

Oh interesting, I'm improving my understanding of iptables so.

Thank you very much!

Tonio-

lazydog · 07-10-2017, 11:58 AM

You are welcome.