oi eu tenho uma interface ethernet nic com 4 interfaces virtuais adicionais (failovers) todos configurados com ipr público (IP-1 para IP-5) / netmask 255.255.255.255 / broadcast mesmo que ip:

• eth0 - > IP-1
  • eth0: 0 - > IP-2
  • eth0: 1 - > IP-3
  • eth0: 2 - > IP-4
  • eth0: 3 - > IP-5

A interface de rede principal

auto eth0
iface eth0 inet static
    address IP-1
    netmask 255.255.255.255
    broadcast IP-1

    post-up route add ISP-GW dev eth0
    post-up route add default gw ISP-GW
    post-up ip addr add 192.168.100.254/24 dev eth0

    post-down route del ISP-GW dev eth0
    post-down route del default gw ISP-GW
    post-down ip addr del 192.168.100.254/24 dev eth0

failover 5

auto eth0:3
iface eth0:3 inet static
        address IP-5
        netmask 255.255.255.255
        broadcast IP-5

& ponte com ip local (IP-B) usado por lxc

auto br0
iface br0 inet static
        network 192.168.100.0
        address 192.168.100.100       # IP-B
        gateway 192.168.100.254       $ IP-GW
        broadcast 192.168.100.255
        netmask 255.255.255.0
        bridge_ports none
        bridge_maxwait 0

teste:

# ping lcx container 
#
    $ ping 192.168.100.1 
    PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
    64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.161 ms
    64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.075 ms

# ping bridge br0
#
    $ ping 192.168.100.100   
    PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
    64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=0.113 ms
    64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.056 ms

# pink gatway / alias eth0 IP-1
#
    $ ping 192.168.100.254
    PING 192.168.100.254 (192.168.100.254) 56(84) bytes of data.
    64 bytes from 192.168.100.254: icmp_seq=1 ttl=64 time=0.048 ms
    64 bytes from 192.168.100.254: icmp_seq=2 ttl=64 time=0.090 ms

e eu quero agora direcionar o tráfego de eth0 IP5 (eth0: 3) < - > br0 IP-B e outro tráfego para ficar na eth0 como definir as regras do netfilter para conseguir isso?

eu sei que devo adicionar

iptables -t nat -A POSTROUTING
iptables -t nat -A PREROUTING 

governa algo como?

# change public host IP-5 to private IP-B
# 
    $ iptables -t nat -A PREROUTING -d IP-5 -j DNAT --to IP-B
#
# change private IP-B to public IP-5 use SNAT instead of MASQUERADE for static IP
# 
    $ iptables -t nat -A POSTROUTING -s IP-B -j SNAT --to IP-5
#
# force to send reply to gateway where IP-GW = 192.168.100.254/16
#
    $ iptables -t nat -A POSTROUTING -o br0 -s IP-GW -d IP-5 -j SNAT --to IP-B

e eu também habilitei o encaminhamento em sysctl

• O contêiner lxc é DEBIAN

  lxc.network.type = veth
  lxc.network.name = veth0
  lxc.network.flags = up
  lxc.network.link = br0
  lxc.network.veth.pair = veth0-sid
  lxc.network.ipv4 = 192.168.100.1/24
  lxc.network.ipv4.gateway = 192.168.100.254
  

rota do contêiner lxc

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.100.254 0.0.0.0         UG    0      0        0 veth0
192.168.100.0   *               255.255.255.0   U     0      0        0 veth0

veth0     Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx 
          inet addr:192.168.100.1  Bcast:192.168.100.255  Mask:255.255.255.0

• o servidor é UBUNTU 15.10

  Kernel IP routing table
  Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
  default         ISP GW          0.0.0.0         UG    0      0        0 eth0
  default         192.168.100.254 0.0.0.0         UG    0      0        0 br0
  ISP GW          *               255.255.255.255 UH    0      0        0 eth0
  192.168.100.0   *               255.255.255.0   U     0      0        0 br0
  

quando eu faço ping do IP-5 de fora do tcpdump no br0 não está recebendo nenhum icmp eu preciso adicionar um pouco como gateway ou rota estática? o que estou fazendo errado?

# on lcx container 
#
    $ apt update 
    Err http://http.debian.net jessie Release.gpg                         
    Could not resolve 'http.debian.net'

     W: Failed to fetch http://http.debian.net/debian/dists/jessie/Release.gpg     
       Could not resolve 'http.debian.net'


# on host :
#
     $ tcpdump -vi br0
     tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size  262144 bytes
     01:54:21.370892 IP (tos 0x0, ttl 64, id 59200, offset 0, flags [DF], proto UDP (17), length 71)
       192.168.100.1.58916 > cdns.ovh.net.domain: 46783+ A? security.debian.org.local. (43)
     01:54:21.371049 IP (tos 0x0, ttl 64, id 59201, offset 0, flags [DF], proto UDP (17), length 71)
       192.168.100.1.58916 > cdns.ovh.net.domain: 65501+ AAAA? security.debian.org.local. (43)

# host ping and  tcpdump 
#
    $ ping 192.168.100.1
    PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
    64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.118 ms

    $ tcpdump -vibr0  
    tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
    02:07:47.168384 IP (tos 0x0, ttl 64, id 24937, offset 0, flags [DF], proto ICMP (1), length 84)
        IP-5 > 192.168.100.1: ICMP echo request, id 5199, seq 1, length 64
    02:07:47.168460 IP (tos 0x0, ttl 64, id 2157, offset 0, flags [none], proto ICMP (1), length 84)
        192.168.100.1 > IP-5: ICMP echo reply, id 5199, seq 1, length 64

    $ ping from outside IP-5  -> tcpdump on br0 no packet captured 

criar tabela de roteamento

# take my nic to world 
#    
     $ ip route add ISP-GW dev eth0 
     $ ip route add default via ISP-GW

     $ ip r
        default via ISP-GW dev eth0 
        ISP-GW dev eth0  scope link 

     $ ping IP-1 from outside  OK!


  # add bridge br0 route via gateway (alias of IP-1 = IP-GW) 
  #
      $ ip route add 192.168.100.100 via 192.168.100.254 

      $ ip r
         default via ISP-GW dev eth0 
         ISP-GW dev eth0  scope link 
         192.168.100.100 via 192.168.100.254 dev eth0 

uma grande questão?

devo receber icmp de IP-5 de fora se eu definir DNAT e derrubar br0?