# 建立DNAT

## 建立虛擬的Bridge網路，讓lxc系統使用此網段，預設不對外連線

![](https://529150212-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lh81JtaIQ84bwQqz_Wh%2F-LxctWBTHAeQO-vX6foR%2F-Lxcx4wujdULM7M9YUoM%2Fimage.png?alt=media\&token=9f2de821-35b6-4655-a575-dbb378596615)

![](https://529150212-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lh81JtaIQ84bwQqz_Wh%2F-LxctWBTHAeQO-vX6foR%2F-Lxcy8N8o9TxBhI_fLEe%2Fimage.png?alt=media\&token=7f970580-efdf-4c01-b314-859d1ffc541c)

讓此虛擬網路區段，可以使用SNAT連線網際網路

```
auto vmbr0
iface vmbr0 inet static
	address 10.99.0.254
	netmask 255.255.255.0
	bridge_ports none
	bridge_stp off
	bridge_fd 0
	post-up echo 1 > /proc/sys/net/ipv4/ip_forward
	post-up iptables -t nat -A POSTROUTING -s '10.99.0.0/24' -j MASQUERADE
	post-down iptables -t nat -D POSTROUTING -s '10.99.0.0/24' -j MASQUERADE
```

## 將此LXC的的docker samba服務對外曝露

iptables -t nat -A PREROUTING -p tcp -d 172.16.10.13 --dport 445 -j DNAT --to 10.99.0.1