Hi, Thanks the answers of all. This reply is also to the answer of Anrey Repin "How about adding two NICs to the container: one for private networking (via lxdbridge) and one for public networking (via macvlan)?".
I am not familar with ipv6, but, at least, I found a way to resovle the question, by the hint of Anry Repin, to create another NIC in the container. But not macvlan, the another is "host-shared bridge" described in my first post. So, the another NIC in the container linked to the host-shared bridge in host, this NIC in the container attaching a ipv6 address can be public accessiable. The macvlan didn't work for me. And, just setup a ipv6 address in container without modifing other didn't work for me yet. The only way the container ipv6 communicating with public is creating a bridge in host, container can link bridge, bridge can reach public internet. And,if bridge is host-shared, then container can access public internet without further setup. If bridge is "independent bridge" described in my first post, then I must use ipv6 forward to communicate bridge with main NIC in host. This if my "NAT ipv6". I don't know if there is "NAT" concept in ipv6, but it works in this way, just like ipv4 nat. I decribe my 'NAT ipv6" more detail. For example: Main NIC in host: 8:8:8:8::1/64 "independent bridge" br0 in host: 8:8:8:8:1:1:1:10/112 NIC in container: 8:8:8:8:1:1:1:20/112 Set "net.ipv6.conf.all.forwarding=1" in /etc/sysctl.conf in host, then use ip6tables to forward packet: ip6tables -t nat -A PREROUTING -i br0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 8:8:8:8:1:1:1:20 ip6tables -t nat -A POSTROUTING -s 8:8:8:8:1:1:1:0/112 ! -d 8:8:8:8:1:1:1:0/112 -j MASQUERADE In any way, the question is resolved, if there are not further needs, I won't spend time on the detail about ipv6 or something else. If anyone is interested in this question, you can try youself, my test platform is Vultr.com. Thanks again. On 2 June 2017 at 22:46, Andrey Repin <[email protected]> wrote: > Greetings, littlebat! > > > I have studied my question several days and searched many online > resource, > > but didn't resolve this. The detail is too long, I describe a brief > version below: > > > I have a debian 9 host server installed lxc2 server, the host server has > > only one pulic ipv4 address, suppose it is 8.8.8.8, and a public /64 > subnet > > ipv6 pool, suppose it is 8:8:8:8::/64, and the eth0 of host ipv6 is: > 8:8:8:8::1/64. > > > My goal is building the lxc unprivileged container, with a private nat > ipv4 > > address, suppose it is 10.1.0.10, so I use ip forward to access container > > from internet using public ipv4 plus port (suppose 8.8.8.8:2222forward > > to/from 10.1.0.10:22). And, at same time, I want assign container a > public > > ipv6 address or ipv6 subnet( /112, can it be public accessed? ), so I can > > access container from internet using public ipv6(suppose 8:8:8:8::10/64 > port > > 22 or 8:8:8:8::10/112 port 22 ? ). For simplifing question, suppose only > > assign a public ipv6 (not a public ipv6 subnet) address to the container. > > > Util today, I can only setup both private nat ipv4(10.1.0.10) and private > > nat ipv6(8:8:8:8::10/112) > > There's no such thing as NAT in IPv6. > > > for the container, open ipv4 and ipv6 forward in /etc/sysctl.conf, and > using > > iptables and ip6tables to forward public traffic to or from > > container(8.8.8.8:2222<->10.1.0.10:22, 8:8:8:8::1/64 port 2222 <-> > > 8:8:8::10/112 port 22). This is done by create a "2. independent > bridge"(a > > different bridge out of thin air and link your containers together > > on this bridge, but use forwarding to get it out on the internet or to > get > > traffic into it. debian wiki: https://wiki.debian.org/LXC/SimpleBridge). > > reference: LXC host featuring IPv6 connectivity > > https://blog.cepharum.de/en/post/lxc-host-featuring-ipv6- > connectivity.html > > > And, I can create a "1. host-shared bridge"(a bridge out of your main > > network interface which will hold both the host's IP and the container's > IP > > addresses. debian wiki: https://wiki.debian.org/LXC/SimpleBridge). > Then, I > > can assign a public ipv6 address to the container. But, I can't assign a > > private nat ipv4 address to the container now. So, it is no way to public > > access container using ipv4 address(because the sole public ipv4 address > only avalable on host network card). > > > My question is: > > 1, Can I setup a private nat ipv4 and a public ipv6 address at same time > for a lxc2 container? > > Yes. > > > 2, How to do it? > > Just route IPv6 addresses to container. > I.e. dedicate an IPv6 subnet to the containers on your bridge and just > assign > IPv6 addresses in any way you could. > > > any idea or online resource link is welcome. > > What you must understand is that IPv6 and IPv4 is a two separate IP stacks. > Setup of one does not interfere with another, not in any way depend on it, > unless YOU make it so. > > > -- > With best regards, > Andrey Repin > Friday, June 2, 2017 17:42:08 > > Sorry for my terrible english... > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
