LXC, Port forwarding and iptables

iptables port-forwarding lxc

30,155

Solution 1

Seems you have blocked 7002 port on 10.0.3.1 as your default policy is DROP

Try adding it to INPUT rules:

iptables -A INPUT -p tcp --dport 7002 -j ACCEPT

Solution 2

I ran into the same problem. I have not found solution yet, but following I note down some observations.

I have a host ${host} machine (Ubuntu 12.04) and it runs a guest machine via LXC. The guest is on IP 10.0.3.248 and gateway is 10.0.3.1. I run a web server in the guest and want to port forward traffic from ${host}:8888 to 10.0.3.248:80. Following is the relevant iptables entries:

-A PREROUTING -p tcp --dport 8888 -j DNAT --to-destination 10.0.3.248:80
-A POSTROUTING -j MASQUERADE

With the current configuration, I can successfully visit the web server on 10.0.3.248:80 from another physical machine. However, it fails when I try to visit 10.0.3.248:80 from ${host}. Maybe you can try to visit that service inside LXC from another machine.

My understanding is that, when I visit from ${host}, the packet go through loopback interface and enters the INPUT chain directly. Although I allow everything on INPUT, there is no service listening at ${host}:8888. From wireshark, I see a RST is sent received. When I visit from another physical machine, the packet goes into PREROUTING chain and was DNAT-ed as expected.

One related post:

iptables redirect local connections to remote system / port

30,155

Roberto Aloi

Because of my academic career, I’m interested in software engineering, human - computer interaction, user interfaces, graphics, databases, web applications and more. As the final thesis for my Bachelor's degree, I implemented a garbage collector for a Java Virtual Machine (named Juice) targeted to embedded systems with real time requirements. As the final thesis for my Master's degree, I designed an access control mechanism for the Content Management System Joomla (www.joomla.org). It was successfully used for an e-learning solution. I spent my last years discovering the Erlang language and getting addicted to it.

Updated on September 18, 2022

Comments

Roberto Aloi over 1 year
I have a LXC container (10.0.3.2) running on a host. A service is running inside the container on port 7000.

From the host (10.0.3.1, lxcbr0), I can reach the service:
```
$ telnet 10.0.3.2 7000
Trying 10.0.3.2...
Connected to 10.0.3.2.
Escape character is '^]'.
```
I'd love to make the service running inside the container accessible to the outer world. Therefore, I want to forward port 7002 on the host to port 7000 on the container:
```
iptables -t nat -A PREROUTING -p tcp --dport 7002 -j DNAT --to 10.0.3.2:7000
```
Which results in (iptables -t nat -L):
```
DNAT   tcp  --  anywhere     anywhere     tcp dpt:afs3-prserver to:10.0.3.2:7000
```
Still, I cannot access the service from the host using the forwarded port:
```
$ telnet 10.0.3.1 7002
Trying 10.0.3.1...
telnet: Unable to connect to remote host: Connection refused
```
I feel like I'm missing something stupid here. What things should I check? What's a good strategy to debug these situations?

For completeness, here is how iptables are set on the host:
```
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o lxcbr0 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp --dport 7002 -j DNAT --to 10.0.3.2:7000
```
- Michael Härtl about 11 years
  
  Did you check the INPUT chain? Maybe the policy is REJECT there.
- Roberto Aloi about 11 years
  
  Policy is ACCEPT
- Roberto Aloi about 11 years
  
  ip_forward is set to 1
- Roberto Aloi about 11 years
  
  FORWARD policy is also ACCEPT
- Michael Härtl about 11 years
  
  Next things i would try: Check if any packet makes it to the LXC, e.g with tcpdump. Also watch the different counters in your iptables, whenever you try to connect. It usually gives you a hint, where a packet is lost. If packets arrive at LXC then check /etc/hosts.allow and /etc/hosts.deny and your telnet configuration. Maybe it's blocking IPs outside your network.
- Roberto Aloi about 11 years
  
  Added the complete specs for iptables.
- Roberto Aloi about 11 years
  
  tcpdump (used on -i lo) shows a rejection. No packets reach the LXC, apparently.
- Roberto Aloi about 11 years
  
  let us continue this discussion in chat
- Laurentiu Roescu almost 11 years
  
  I think this is causing you troubles: iptables -t nat -A POSTROUTING -o lxcbr0 -j MASQUERADE. Why do you need that?
- andresgongora about 6 years
  
  Might be related to this: serverfault.com/questions/475065/iptables-port-forwarding-a-‌b-a have you tried accessing port 7002 from another computer as the host? i.e telnet $HOSTIP 7002 (where $HOSTIP is the IP of the machine hosting the LXC contianer, say 192.168.1.15 if you are on a common LAN).
- thistleknot almost 3 years
  
  all I needed was the last line