====== LXC NAT Routing configuration ======

This document describes how to setup a NAT routing LXC Container.

Next step (optional):

  * [[linux:applicaties:lxc:lxc-shorewallnat| LXC NAT Routing Shorewall configuration]]

More information about LXC networking:\\
[[linux:applicaties:lxc:lxc-introduction#lxc_networking_scenarios|LXC Introduction: LXC Networking scenarios]]

This document is based on:\\
- Tux4u(r)/Penguin Suite: PS-wheezy\\
- PS-app: emu-lxc 1.0.4


===== 1. Overview =====

{{ linux:applicaties:lxc-nat-450x601.png }}


More info:\\
[[linux:applicaties:lxc:lxc-introduction#lxc_networking_scenarios|LXC Introduction: LXC Networking scenarios]]



===== 2. Host network configuration =====

==== 2.1 /etc/network/interfaces ====

  - Configure a virtual bridge device
  - Configure the LXC-network gateway IP-address on this bridge device
  - Create the Bridge and bring it up

<code>
## /etc/network/interfaces


# LXC eth0 bridge
auto br0=br0-bridge
iface br0-bridge inet static
        address 172.16.1.254
        netmask 255.255.255.0
        network 172.16.1.0
        broadcast 172.16.1.255
        bridge_ports none
        bridge_fd 0
        bridge_maxwait 0
</code>

  * Directive "bridge_ports none" configures a bridging device without ports. (May not be omitted!)

Create the Bridge device and bring it up:

<code>
# ifup br0=br0-bridge
</code>


===== 3. LXC Container configuration =====

==== 3.1 Create new Container ====

=== 3.1.1 /etc/lxc/veth-br0.conf ===

This config file preconfigures a new LXC Container with a
Virtual Ethernet device:

<code>
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
</code>

  * The default LXC config file preconfigures a new Container with the loopback interface only.


=== 3.1.2 Create Container ===

<code>
# lxc-create -n Container_name -f /etc/lxc/veth-br0.conf -t debian
</code>

  * Option "-t debian" creates the container using the Debian Stable template script


==== 3.2 Customize the Container's network configuration ====

The "debian" template script creates a full functional Debian system
for the LXC Container.


=== 3.2.1 LXC Container: Fixed IP-address ===

By default the Debian Container configures its "eth0" interface using DHCP.\\
Comment this out since we are using a __fixed IP-address on the LXC internal
network__!

  - Go to "/var/lib/lxc/Container_name/rootfs/"
  - Edit "etc/network/interfaces" and comment out the "eth0" lines.
  - Go to "/var/lib/lxc/Container_name/"
  - Edit the LXC Container "config" file and define a fixed IP-address

== Detailed instructions ==

Edit "etc/network/interfaces" and comment out the "eth0" lines:

<code>
auto lo
iface lo inet loopback

## Comment out when using a fixed IP-address
# auto eth0
# iface eth0 inet dhcp
</code>

Define a fixed IP configuration in the Container's "config" file:

<code>
## /var/lib/lxc/Container_name/config

lxc.network.ipv4 = 172.16.1.1/24
lxc.network.ipv4.gateway = 172.16.1.254
</code>


===== 4. NAT and kernel routing configuration =====

  * Please note: Commands in this section setup a __live__ LXC NAT routing network.
  * To make things permanently:
    * Either put the commands in this section in a script;
    * Or use firewalling software e.g. Shorewall: [[linux:applicaties:lxc:lxc-shorewallnat| LXC NAT Routing Shorewall configuration]]


==== 4.1 NAT Masquerading ====

Setup NAT Masquerading for LXC outgoing connections:

<code>
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
</code>


Verify NAT configuration:

<code>
# iptables -t nat -L -v
</code>


==== 4.2 Enable Linux kernel forwarding ====

<code>
# echo 1 >/proc/sys/net/ipv4/ip_forward
</code>


==== 4.3 DNAT Port forwarding ====

Optionally forward service ports to a LXC Container.

E.g. forward "192.168.1.101:80" to "172.16.1.1:80":

<code>
# iptables -t nat -A PREROUTING -p tcp -d 192.168.1.101 --dport 80 -j DNAT --to-destination 172.16.1.4:80
</code>


===== 5. Start LXC Container =====

Start the Container in deamon mode (-d):
((Omitting option "-d" will connect your terminal to the console of the
running Container.))

<code>
# lxc-start -n Container_name -d
</code>


===== 6. Verify LXC services =====

E.g. verify the webservice on "192.168.1.101" by starting a "telnet"
session on port "80":

<code>
$ telnet 192.168.1.101 80

Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.
</code>

Now issue a "GET" command to retrieve the Home page:

<code>
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 18 Aug 2014 15:32:31 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Wed, 30 Jul 2014 14:49:44 GMT
ETag: "10cd0f-cd-4ff6a44487af4"
Accept-Ranges: bytes
Content-Length: 205
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<html><body><h1>It works!</h1>
</body></html>
Connection closed by foreign host.
</code>



====== . ======
Copyright (c) 2014 Integrated Services; Tux4u.nl\\
Author: Marjan Waldorp; lxc/lxc-natrouting 2014-09-01