LXD Port Forwards

Both Docker & LXD by default create containers inside of a private/internal NAT network. This increases security because communication between containers is not on the user LAN. These private NAT networks readily allow outbound communication, but like NAT on a router, they generally block all inbound communication by default.

This video discusses how LXD can perform port forwarding in a similar way to Docker.

Docker containers accomplish this with port forwards whereby containers on a Docker private network can “map” desired ports to the Docker host. The downfall of this is that a port number opened on the Docker host maps to exactly one container.

I have frequently shown how to “bridge” LXD containers to dedicated LAN addresses. This allows all ports on a LXD container to be available at the LAN address without any conflict issues. Although this is powerful, there are times when having the LXD container on a private address range can increase security and offer other functionality.

A good example is if your LXD host is a VPS server, you might only be granted a single IP address for the LXD host and therefore you might not be able to have addresses for each separate LXD container on the LAN.

In the tutorial we created a LXD container on the lxdbr0 NAT network:

lxc launch ubuntu:20.04 test1 -c boot.autostart=true

We connected to the console of the container, updated it and installed the Apache web server.

lxc exec test1 bash
apt update && apt upgrade -y
apt install apache2

We created a profile to proxy port 8080 on the LXD host down to port 80.

lxc profile create proxy-8080
lxc profile device add proxy-8080 hostport8080 proxy connect="tcp:" listen="tcp:"
lxc profile show proxy-8080

We added the new profile to our test1 container:

lxc profile add test1 proxy-8080

Show that it is added to the container test1.

lxc config show test1 -e

You can then go into a web browser at http://LXD-Host-address:8080 and it will access the Apache on the test1 container.

To remove the proxy profile from the container and delete the profile.

lxc profile remove test1 proxy-8080
lxc profile delete proxy-8080