lxc container no outgoing traffic

network-bridge lxc
10,071

Added two lines in the top of /etc/iptables.firewall.rules:

-A FORWARD -s 10.0.3.0/24 -o eth0 -j ACCEPT                                     
-A FORWARD -d 10.0.3.0/24 -o lxcbr0 -j ACCEPT

Just below *filter

Share:
10,071

Related videos on Youtube

Kristian Nygaard Jensen
Author by

Kristian Nygaard Jensen

Updated on September 18, 2022

Comments

  • Kristian Nygaard Jensen
    Kristian Nygaard Jensen over 1 year

    I am trying to setup a lxc container on a ubuntu 13.04 on a linode VPS, but I can't ping anything outside my host.

    my container network config looks like this:

    lxc.network.type = veth
lxc.network.hwaddr = 00:16:3e:04:93:57
lxc.network.ipv4 = 10.0.3.3/24
lxc.network.ipv4.gateway = 10.0.3.1
lxc.network.link = lxcbr0
lxc.network.flags = up

    I have add the two lines with ipv4 my self, without them I couldn’t event ping the host.

    On the host side ifconfig show this for the bridge and container interface:

    lxcbr0: Link encap:Ethernet  HWaddr fe:b2:8c:74:8c:fa  
inet addr:10.0.3.1  Bcast:10.0.3.255  Mask:255.255.255.0
inet6 addr: fe80::68aa:7eff:feb4:9959/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:7179 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0 
RX bytes:2294800 (2.2 MB)  TX bytes:846 (846.0 B)

vethYNhCg1 Link encap:Ethernet  HWaddr fe:b2:8c:74:8c:fa  
inet6 addr: fe80::fcb2:8cff:fe74:8cfa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:311 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 
RX bytes:64446 (64.4 KB)  TX bytes:2904 (2.9 KB)

    The veth interface doesn’t get a ipv4 IP automaticly, I have tried to add one my self but it didn’t help.

    dmesg logs lines like this:

    [1466355.530226] iptables denied: IN=lxcbr0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:3e:04:93:57:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308

    I have tried allot of different things but nothing seems to work. This is what I have tried so fare.

    sudo iptables -A FORWARD -i vethYNhCg1 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i lxcbr0 -o eth0 -j ACCEPT

iptables -A INPUT -i lxcbr0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o lxcbr0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i lxcbr0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -o lxcbr0 -p icmp --icmp-type echo-reply -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o lxcbr0 -j MASQUERADE

    Unfortunately I do not know a hole lot about networking so I am just trying anything I can find. Please help.

    • gertvdijk
      gertvdijk over 10 years
      Looks like a firewall issue. I see the DHCP traffic being blocked there. What are your current firewall rules? Post the output of iptables -L -n -v and iptables -t NAT -L -n -v (and if the output is very long, post it on paste.ubuntu.com)
    • Kristian Nygaard Jensen
      Kristian Nygaard Jensen over 10 years
      The output from iptables -L -n -v can be seen here: paste.ubuntu.com/6051430. But I get an error when I try to call iptables -t NAT -L -n -v: iptables v1.4.12: can't initialize iptables table `NAT': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
    • gertvdijk
      gertvdijk over 10 years
      Your first problem is with the FORWARD chain. The DROP rule takes precedence over the ACCEPT (as you can see in the number of packets being hit by it), because it is listed first. If you don't understand plain iptables, then why are you running the firewall in the first place? Or, read up on iptables. Oh and sorry, NAT command should have been sudo iptables -t nat -L -n -v
    • Kristian Nygaard Jensen
      Kristian Nygaard Jensen over 10 years
      Iptables is enabled as default. Is it safe running without a firewall?
    • gertvdijk
      gertvdijk over 10 years
      I know iptables is enabled by default, but you have configured it to DROP packets, this is not default! As this seems very obvious to me, I doubt you understand what you are doing. So that's why I ask if you really need to run this firewall. If you do, then read up on iptables or run a iptables front-end that makes it a lot easier. Eg.: shorewall, ufw, and many more exist.
    • Kristian Nygaard Jensen
      Kristian Nygaard Jensen over 10 years
      I did not add the DROP condition, but thanks for the tip about ufw.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LXD container set static ip
After starting a particular LXC container with a static IP, no default gateway route is configured
Port forwarding between bridged interfaces
Difference between LXC and libcontainer
How is "lxd" different from lxc/docker?
How to start an lxc container on Ubuntu 14.04 without "Executing '/sbin/init' with no configuration file may crash the host" error
How do I export a lxc container?
LXC - Cgroup memory controller: missing
Setting absolute limits on CPU for Docker containers
Starting Xserver in Docker Ubuntu container