Translation(s): English - Français

Bridged setup for your container(s) network

There are typically two ways to create a bridged network setup:

  1. host-shared bridge: create a bridge out of your main network interface which will hold both the host's IP and the container's IP addresses.

  2. independent bridge: create a different bridge out of thin air and link your containers together on this bridge, but use forwarding to get it out on the internet or to get traffic into it.

The first type would have direct internet access or network access using a host-supplied or host-network (same subnet) IP address.

This means that the first type can acquire a DHCP lease from the host network. The second type is sitting on its own internal network and is getting masqueraded. That means it is sitting behind a NAT firewall and is only getting ports forwarded to it.

Lxc-net uses type 2. An lxc-net configuration is a masqueraded configuration.

Both types of configuration normally use the veth network setup for the container.!!!

The independent bridge (masqueraded bridge)

This second type is what is typically considered to be the Masqueraded Bridge. You have an internal subnet that you use on the bridge (and all the containers).

The easiest way in version 2.0 (as included in Stretch) is to use the lxc-net package (component). This is part of the lxc package (real Debian package) starting from Stretch (Debian 9) (you can find a wallpaper here ;-)).

Below is an example configuration for lxc-net.

Using lxc-net

The default setup for lxc-net is as follows:


This information is put in the file /etc/default/lxc-net.

This is also the default configuration for LXC-net as started with Debian Stretch in the default configuration (setup) without the patch applied to it (see the main page)

After creating this file with the required config you can simply start the service with:

systemctl start lxc-net after enabling it with systemctl enable lxc-net. This is covered in the introduction at the Main Page. Commands:

systemctl enable lxc-net
systemctl start lxc-net

The service will run at boot and create your bridge for you. This will also add masquerading and forward firewall rules for you using iptables2 calls.

More info on a bridge

Much is covered in Masqueraded Bridge.

For Debian Jessie and below (which is what most users will have at this point) you must consult that document if you are not to use lxc-net from Stretch (via Backports).

Host device as bridge

The first type of bridge that was mentioned was the “host-shared bridge”.

The host-shared bridge requires the host's network device to be superseded by a bridge that will include this network device as one of its ports.

auto lxcbr0
iface lxcbr0 inet dhcp
    bridge_ports eth0
    bridge_fd 0
    bridge_maxwait 0

would be a typical minimal bridge setup (using dhcp) that supersedes an IP on the main interface (eth0) provided that you have the new fancy "Predictable Network Interface Names" disabled. (Don't forget to regen your initramfs (update-initramfs -u)).

This type of bridge setup has the following features:

This requires the bridge-utils package (as does lxc-net).

Edit the host's /etc/network/interfaces in this form:

# Comment out the following:
# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp

auto br0
iface br0 inet dhcp
        bridge_ports eth0
        bridge_fd 0
        bridge_maxwait 0

# uncomment the below and comment the above for static ip setup on the host
#auto br0
#iface br0 inet static
#       bridge_ports eth0
#       bridge_fd 0
#       address <host IP here, e.g.>
#       netmask
#       network <network IP here, e.g.>
#       broadcast <broadcast IP here, e.g.>
#       gateway <gateway IP address here, e.g.>
#       # dns-* options are implemented by the resolvconf package, if installed
#       dns-nameservers <name server IP address here, e.g.>
#       dns-search

Restart networking:

/etc/init.d/networking restart

## Network
lxc.utsname = containershostname = veth = up

# that's the interface defined above in host's interfaces file = br0

# name of network device inside the container,
# defaults to eth0, you could choose a name freely
# = lxcnet0 = 00:FF:AA:00:00:01

# the ip may be set to or skip this line
# if you like to use a dhcp client inside the container =

# define a gateway to have access to the internet =

auto eth0
iface eth0 inet dhcp
#iface eth0 inet static
#       address <container IP here, e.g.>
#       all other settings like those for the host

Additonal bridge device instead of changing a host device to br0


# script to setup a natted network for lxc guests

echo 1 > /proc/sys/net/ipv4/ip_forward



Uncomment the following in /etc/sysctl.conf:

# Uncomment the next line to enable packet forwarding for IPv4

Insert the following in /etc/network/interfaces:

auto lxc-bridge-nat
iface lxc-bridge-nat inet static
        bridge_ports none
        bridge_fd 0
        bridge_maxwait 0
        up iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward = lxc-bridge-nat = =