lxc container no outgoing traffic
10,071
Added two lines in the top of /etc/iptables.firewall.rules:
-A FORWARD -s 10.0.3.0/24 -o eth0 -j ACCEPT
-A FORWARD -d 10.0.3.0/24 -o lxcbr0 -j ACCEPT
Just below *filter
Related videos on Youtube
Author by
Kristian Nygaard Jensen
Updated on September 18, 2022Comments
-
Kristian Nygaard Jensen over 1 year
I am trying to setup a lxc container on a ubuntu 13.04 on a linode VPS, but I can't ping anything outside my host.
my container network config looks like this:
lxc.network.type = veth lxc.network.hwaddr = 00:16:3e:04:93:57 lxc.network.ipv4 = 10.0.3.3/24 lxc.network.ipv4.gateway = 10.0.3.1 lxc.network.link = lxcbr0 lxc.network.flags = up
I have add the two lines with ipv4 my self, without them I couldn’t event ping the host.
On the host side ifconfig show this for the bridge and container interface:
lxcbr0: Link encap:Ethernet HWaddr fe:b2:8c:74:8c:fa inet addr:10.0.3.1 Bcast:10.0.3.255 Mask:255.255.255.0 inet6 addr: fe80::68aa:7eff:feb4:9959/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7179 errors:0 dropped:0 overruns:0 frame:0 TX packets:15 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2294800 (2.2 MB) TX bytes:846 (846.0 B) vethYNhCg1 Link encap:Ethernet HWaddr fe:b2:8c:74:8c:fa inet6 addr: fe80::fcb2:8cff:fe74:8cfa/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:311 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:64446 (64.4 KB) TX bytes:2904 (2.9 KB)
The veth interface doesn’t get a ipv4 IP automaticly, I have tried to add one my self but it didn’t help.
dmesg logs lines like this:
[1466355.530226] iptables denied: IN=lxcbr0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:3e:04:93:57:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
I have tried allot of different things but nothing seems to work. This is what I have tried so fare.
sudo iptables -A FORWARD -i vethYNhCg1 -o eth0 -j ACCEPT sudo iptables -A FORWARD -i lxcbr0 -o eth0 -j ACCEPT iptables -A INPUT -i lxcbr0 -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -o lxcbr0 -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -i lxcbr0 -p icmp --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -o lxcbr0 -p icmp --icmp-type echo-reply -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o lxcbr0 -j MASQUERADE
Unfortunately I do not know a hole lot about networking so I am just trying anything I can find. Please help.
-
gertvdijk over 10 yearsLooks like a firewall issue. I see the DHCP traffic being blocked there. What are your current firewall rules? Post the output of
iptables -L -n -v
andiptables -t NAT -L -n -v
(and if the output is very long, post it on paste.ubuntu.com) -
Kristian Nygaard Jensen over 10 yearsThe output from iptables -L -n -v can be seen here: paste.ubuntu.com/6051430. But I get an error when I try to call iptables -t NAT -L -n -v: iptables v1.4.12: can't initialize iptables table `NAT': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
-
gertvdijk over 10 yearsYour first problem is with the FORWARD chain. The DROP rule takes precedence over the ACCEPT (as you can see in the number of packets being hit by it), because it is listed first. If you don't understand plain
iptables
, then why are you running the firewall in the first place? Or, read up oniptables
. Oh and sorry, NAT command should have beensudo iptables -t nat -L -n -v
-
Kristian Nygaard Jensen over 10 yearsIptables is enabled as default. Is it safe running without a firewall?
-
gertvdijk over 10 yearsI know
iptables
is enabled by default, but you have configured it to DROP packets, this is not default! As this seems very obvious to me, I doubt you understand what you are doing. So that's why I ask if you really need to run this firewall. If you do, then read up oniptables
or run aiptables
front-end that makes it a lot easier. Eg.:shorewall
,ufw
, and many more exist. -
Kristian Nygaard Jensen over 10 yearsI did not add the DROP condition, but thanks for the tip about ufw.
-