This document describes how to setup a NAT routing LXC Container.

Next step (optional):

• LXC NAT Routing Shorewall configuration

More information about LXC networking:
LXC Introduction: LXC Networking scenarios

This document is based on:
- Tux4u®/Penguin Suite: PS-wheezy
- PS-app: emu-lxc 1.0.4

More info:
LXC Introduction: LXC Networking scenarios

1. Configure a virtual bridge device
2. Configure the LXC-network gateway IP-address on this bridge device
3. Create the Bridge and bring it up

## /etc/network/interfaces


# LXC eth0 bridge
auto br0=br0-bridge
iface br0-bridge inet static
        address 172.16.1.254
        netmask 255.255.255.0
        network 172.16.1.0
        broadcast 172.16.1.255
        bridge_ports none
        bridge_fd 0
        bridge_maxwait 0

• Directive “bridge_ports none” configures a bridging device without ports. (May not be omitted!)

Create the Bridge device and bring it up:

# ifup br0=br0-bridge

This config file preconfigures a new LXC Container with a Virtual Ethernet device:

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0

• The default LXC config file preconfigures a new Container with the loopback interface only.

# lxc-create -n Container_name -f /etc/lxc/veth-br0.conf -t debian

• Option “-t debian” creates the container using the Debian Stable template script

The “debian” template script creates a full functional Debian system for the LXC Container.

By default the Debian Container configures its “eth0” interface using DHCP.
Comment this out since we are using a fixed IP-address on the LXC internal network!

1. Go to “/var/lib/lxc/Container_name/rootfs/”
2. Edit “etc/network/interfaces” and comment out the “eth0” lines.
3. Go to “/var/lib/lxc/Container_name/”
4. Edit the LXC Container “config” file and define a fixed IP-address

Edit “etc/network/interfaces” and comment out the “eth0” lines:

auto lo
iface lo inet loopback

## Comment out when using a fixed IP-address
# auto eth0
# iface eth0 inet dhcp

Define a fixed IP configuration in the Container's “config” file:

## /var/lib/lxc/Container_name/config

lxc.network.ipv4 = 172.16.1.1/24
lxc.network.ipv4.gateway = 172.16.1.254

• Please note: Commands in this section setup a live LXC NAT routing network.
• To make things permanently:
  • Either put the commands in this section in a script;
  • Or use firewalling software e.g. Shorewall: LXC NAT Routing Shorewall configuration

Setup NAT Masquerading for LXC outgoing connections:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Verify NAT configuration:

# iptables -t nat -L -v

# echo 1 >/proc/sys/net/ipv4/ip_forward

Optionally forward service ports to a LXC Container.

E.g. forward “192.168.1.101:80” to “172.16.1.1:80”:

# iptables -t nat -A PREROUTING -p tcp -d 192.168.1.101 --dport 80 -j DNAT --to-destination 172.16.1.4:80

Start the Container in deamon mode (-d): ¹⁾

# lxc-start -n Container_name -d

E.g. verify the webservice on “192.168.1.101” by starting a “telnet” session on port “80”:

$ telnet 192.168.1.101 80

Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.

Now issue a “GET” command to retrieve the Home page:

GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 18 Aug 2014 15:32:31 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Wed, 30 Jul 2014 14:49:44 GMT
ETag: "10cd0f-cd-4ff6a44487af4"
Accept-Ranges: bytes
Content-Length: 205
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<html><body><h1>It works!</h1>
</body></html>
Connection closed by foreign host.

Copyright © 2014 Integrated Services; Tux4u.nl
Author: Marjan Waldorp; lxc/lxc-natrouting 2014-09-01