1.6 KiB
Outsider container
So this container's a bit special - it represents a host which is not on the UW network. The motivation is to test software which have different privilege settings for people outside of the local network, e.g. Postfix.
The idea is to route packets from the 'outsider' container to the LXC host (i.e. the VM), and the VM will then route them to the other containers. We could've also created an extra container to act as the router, but that seemed kind of wasteful.
Installation
Once you have created the container, add the following iptables rules on the VM:
iptables -t nat -A POSTROUTING -s 192.168.125.0/24 -d 192.168.122.1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.125.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
I also strongly suggest installing iptables-persistent so that these rules persist on the next reboot:
apt install iptables-persistent
The idea here is that packets from the 'outsider' container should only be
forwarded, not masqueraded, to the other containers (to preserve its IP
address), unless if it needs to communicate with the outside world (e.g. to
download Debian packages), in which case we need to use NAT because the
iptables rules which libvirt created on your real computer don't take that
subnet into account (run iptables -t nat -L -v
on your real computer
to see what I mean). 192.168.122.1, which is your real computer, is a special
case because your host does not have a routing table entry for that
subnet, so it wouldn't be able to reply.
As usual, create the container, start it, and install python3. Now detach and run the playbook:
ansible-playbook main.yml