I'm using LXC containers. Each one of my containers have an ip address in 10.0.3.0/24. I want the packets that come into my host on a certain port to be redirected to a container so I use this rule:
iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 10.0.3.4:3000
This allow to do (outside packet)# –> HOST:3000 –> CONTAINER:3000
It works great. However, when I'm inside a container (not the one used in this previous rule), and I want to access another host (say HOST2) on port 3000, my packet is being redirected to my container. It does:
(inside container packet) # –> HOST2:3000 –> HOST:3000 –> CONTAINER:3000
instead of
(inside container packet) # –> HOST2:3000 –> HOST:3000 –> HOST2:3000
I tried to change my rule above to
iptables -t nat -A PREROUTING -s 10.0.3.0/24 -p tcp --dport 3000 -j DNAT --to-destination 10.0.3.4:3000
in order to say: if packet come from a container, don't apply the rule, however this doesn't work. Any help would be great,
Regards
Here are my iptables rules:
Chain PREROUTING (policy ACCEPT 154 packets, 29925 bytes)
pkts bytes target prot opt in out source destination
4 240 DNAT tcp -- * * 10.0.3.0/24 0.0.0.0/0 tcp dpt:3000 to:10.0.3.5:3000
3 180 DNAT tcp -- * * 10.0.3.0/24 0.0.0.0/0 tcp dpt:3001 to:10.0.3.6:3001
Chain INPUT (policy ACCEPT 126 packets, 28400 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25 packets, 1900 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 29 packets, 2140 bytes)
pkts bytes target prot opt in out source destination
28 1525 MASQUERADE all -- * * 10.0.3.0/24 !10.0.3.0/24
By doesn't work I mean that when I curl 3000 any hosts from within a container, I'm redirected to my container:3000
Best Answer
The
-sflags selects only that traffic that matches the host or network specified. If you want to match all traffic except that, useand don't forget to escape that
!from the shell with either quotes or a backslash.