[Lxc-users] Routing issues

Michael H. Warfield mhw at WittsEnd.com
Tue Jun 4 15:21:25 UTC 2013 

On Tue, 2013-06-04 at 11:21 +0100, Rory Campbell-Lange wrote: 
> On 03/06/13, Serge Hallyn (serge.hallyn at ubuntu.com) wrote:
> > Quoting Rory Campbell-Lange (rory at campbell-lange.net):
> > > On 04/06/13, Papp Tamas (tompos at martos.bme.hu) wrote:
> > > > 
> > > > What is the IP address of the container?
> > > 
> > > The host is on aa.bb.cc.103 (a public net address)
> > > and the container is on aa.bb.cc.87.
> > > 
> > > I can get from 87 to 103, but I can't ping the gateway from the
> > > container.
> > 
> > Hm, here's an idea.  Lxc sets /proc/sys/net/ipv4/conf/$link/forwarding.
> > Perhaps that isn't enough.  You might echo 1 >
> > /proc/sys/net/ipv4/conf/eth0/forwarding and
> > /proc/sys/net/ipv4/ip_forward.
> > 
> > But,
> > 
> > 1. what does 'route -n' in the container (and on the host) show?
> > 
> > 2. when you ping the ip address of your router, what does traceroute
> > (wireshark, whatever) on the host show?

> Hi Serge

> Thanks very much for your email.

> Going through the steps above showed me I had a firewall problem. Dropping the
> firewall allowed the container to hit the internet. Apologies for this beginner
> problem.

> I'd be grateful to know if anyone has some firewall (iptables) advice for
> allowing traffic to the container? I expect to run another firewall on the
> container itself.

That's probably your FORWARD chain there.  Set that policy to ACCEPT and
flush all the rules from the FORWARD chain like this:

iptables -P FORWARD ACCEPT
iptables -F FORWARD

FORWARD chain is going to affect packets forwarded over the host's
bridge to the containers.  The INPUT and OUTPUT chains will affect the
packets coming in and going out from the local host's OS interfaces.

Depending on your distro, track down your persistent rule storage and
make those changes permanent.  Fedora prior to firewalld (here we go
again), RedHat, and RH derivatives (CentOS et al) are generally
in /etc/sysconfig/iptables unless you've also installed one of the
sundry firewall toolkits.  Ubuntu, I'm not so sure about.

> Regards
> Rory
> 
> -- 
> Rory Campbell-Lange
> rory at campbell-lange.net
> 
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130604/0da61e0f/attachment.pgp>

More information about the lxc-users mailing list