LXC, Port forwarding and iptables

Seems you have blocked 7002 port on 10.0.3.1 as your default policy is DROP

Try adding it to INPUT rules:

iptables -A INPUT -p tcp --dport 7002 -j ACCEPT

I ran into the same problem. I have not found solution yet, but following I note down some observations.

I have a host ${host} machine (Ubuntu 12.04) and it runs a guest machine via LXC. The guest is on IP 10.0.3.248 and gateway is 10.0.3.1. I run a web server in the guest and want to port forward traffic from ${host}:8888 to 10.0.3.248:80. Following is the relevant iptables entries:

-A PREROUTING -p tcp --dport 8888 -j DNAT --to-destination 10.0.3.248:80
-A POSTROUTING -j MASQUERADE

With the current configuration, I can successfully visit the web server on 10.0.3.248:80 from another physical machine. However, it fails when I try to visit 10.0.3.248:80 from ${host}. Maybe you can try to visit that service inside LXC from another machine.

My understanding is that, when I visit from ${host}, the packet go through loopback interface and enters the INPUT chain directly. Although I allow everything on INPUT, there is no service listening at ${host}:8888. From wireshark, I see a RST is sent received. When I visit from another physical machine, the packet goes into PREROUTING chain and was DNAT-ed as expected.

One related post:

• iptables redirect local connections to remote system / port