pyrox.dev
1# Container Networking {#sec-container-networking}
2
3When you create a container using `nixos-container create`, it gets it
4own private IPv4 address in the range `10.233.0.0/16`. You can get the
5container's IPv4 address as follows:
6
7```ShellSession
8# nixos-container show-ip foo
910.233.4.2
10
11$ ping -c1 10.233.4.2
1264 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms
13```
14
15Networking is implemented using a pair of virtual Ethernet devices. The
16network interface in the container is called `eth0`, while the matching
17interface in the host is called `ve-container-name` (e.g., `ve-foo`).
18The container has its own network namespace and the `CAP_NET_ADMIN`
19capability, so it can perform arbitrary network configuration such as
20setting up firewall rules, without affecting or having access to the
21host's network.
22
23By default, containers cannot talk to the outside network. If you want
24that, you should set up Network Address Translation (NAT) rules on the
25host to rewrite container traffic to use your external IP address. This
26can be accomplished using the following configuration on the host:
27
28```nix
29networking.nat.enable = true;
30networking.nat.internalInterfaces = ["ve-+"];
31networking.nat.externalInterface = "eth0";
32```
33
34where `eth0` should be replaced with the desired external interface.
35Note that `ve-+` is a wildcard that matches all container interfaces.
36
37If you are using Network Manager, you need to explicitly prevent it from
38managing container interfaces:
39
40```nix
41networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
42```
43
44You may need to restart your system for the changes to take effect.