0

I am trying to set up a reverse proxy on my ubuntu 14.04 host so that I can run multiple websites, each in their own LXC container (one day docker but one step at a time). In this example the sites/hostnames are:

ubuntu1.mydomain.com
ubuntu2.mydomain.com

The containers were created with the names ubuntu1 and ubuntu2.

When I try to set up iptables to forward to these hostnames with the following command:

sudo iptables -t nat -A PREROUTING -d ubuntu1.mydomain.com -j DNAT --to-destination 10.0.3.xxx

(10.0.3.xxx is the ip address of the container on the lxc bridge 10.0.3.1) I get the following error:

iptables v1.4.21: host/network `ubuntu1.mydomain.com' not found

Is there a way to workaround this?

Programster
  • 485
  • 12
  • 22

3 Answers3

2

Your approach is flawed. You do not want to use the domain names when configuring iptables.

Your firewall has no notion of which domain a client has resolved to reach your hostsystem. All it sees are the IP address and port number.

If you want to make the containers reachable via a public IP, you need to choose a distinct IP that is available on the external interface and just

iptables -t nat -A PREROUTING -d <public-ip-for-ubuntu1> -j DNAT --to-destination 10.0.3.xxx

There is literally no way to do this without a designated IP for your container.

If you cannot add such addresses, you can use workarounds of mapping specific ports to other ports in the container, e.g.

iptables -t nat -A PREROUTING -p tcp --dport 10022 -j DNAT --to-destination 10.0.3.xxx:22

to make the container's SSH service available via port 10022.

Felix Frank
  • 3,063
  • 1
  • 15
  • 22
  • ok so it looks like I need to figure out how to assign IPs to LXC containers from the same subnet as the host. – Programster Jun 19 '14 at 12:46
  • Not necessarily - your `iptables` idea is sound, but there must be a designated IP from the host subnet bound to the appropriate interface of the host. The firewall can then `NAT` the packages that are bound for that address to the private address of the container. But yes, it may be simpler to bind that address to the container directly. – Felix Frank Jun 19 '14 at 12:49
  • so it is impossible to set up a reverse proxy for various services that use the same port? – Programster Jun 19 '14 at 13:25
  • Seems so: http://superuser.com/questions/484623/reverse-proxy-for-tcp-rdp-vpn-etc-and-http – Programster Jun 19 '14 at 13:27
  • Ah, so that's what you mean by "reverse proxy". Yes, that answer you linked is spot on. – Felix Frank Jun 19 '14 at 13:31
0

I am not into the statement, that iptables is sound, for this purpose.
As mentioned by Felix, iptables is a firewall.
It's not a ip - routing component.
There are several ways to set up virtual networks on linux.
The most easy way is via configuring virtual ips, e.g. 

 ifconfig eth0:1 192.168.0.10 up (notice the eth0:1 which is setting up a virtual device for eth0)<br />

(which is non persistence and will be gone after reboot) or dnsmasq.
As this is exactly what you are doing (setting up a virtual network for your linux containers),
you should stick to the corresponding documentation. Reverse Proxying again is a totally different topic as this can be done easily with correct dns entries in your dns zone file and Apache HTTP Server, which can map different domain names to different ip's or ports, e.g. 

<VirtualHost *:80>
  ServerAdmin webmaster@development.styles-and-artists.com
  ServerName ubuntu1.mydomain.com #this is the mapping configuring your server to be the one

  ProxyPreserveHost       On
  ProxyRequests           Off

  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

ProxyPass / http://10.0.3.10:9006/
ProxyPassReverse http://10.0.3.10:9006/ /

but the proxying is only needed as you want to use linux containers, of course.

Peter
  • 126
  • 5
0

For HTTP and HTTPS this will work to get a container reachable from the internet: 

sudo iptables -t nat -I PREROUTING -p tcp -d <host-ip> --dport 443 -j DNAT --to <lxc-ip>:443  
sudo iptables -t nat -I PREROUTING -p tcp -d <host-ip> --dport 80 -j DNAT --to <lxc-ip>:80  
sudo iptables -A FORWARD -p tcp -d <lxc-ip> --dport 443 -j ACCEPT  
sudo iptables -A FORWARD -p tcp -d <lxc-ip> --dport 80 -j ACCEPT

This may not be a suitable solution for a lot of web-server/containers though.

code_dredd
  • 156
  • 1
  • 11
bmullan
  • 276
  • 1
  • 4