[Lxc-users] Network Connectivity problem

Nuno Seita[EmergeIT] nuno.seita at emerge.pt
Tue Mar 5 10:38:09 UTC 2013 

I believe that your problem is the --to-ports rules.
For simple masquerading you just need the third rule.
I'm  no expert, but  i think your rules are a bit messy.



On 05-03-2013 08:30, alvaro miranda wrote:
> This the iptables setup from LXC in OL6.4 channel
>
> [root at ol6hostlxc ~]# cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.7 on Tue Mar  5 21:27:37 2013
> *nat
> :PREROUTING ACCEPT [33:5486]
> :INPUT ACCEPT [33:5486]
> :OUTPUT ACCEPT [2:144]
> :POSTROUTING ACCEPT [2:144]
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE 
> COMMIT
> # Completed on Tue Mar  5 21:27:37 2013
> # Generated by iptables-save v1.4.7 on Tue Mar  5 21:27:37 2013
> *mangle
> :PREROUTING ACCEPT [59:9336]
> :INPUT ACCEPT [59:9336]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2:144]
> :POSTROUTING ACCEPT [2:144]
> -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill 
> COMMIT
> # Completed on Tue Mar  5 21:27:37 2013
> # Generated by iptables-save v1.4.7 on Tue Mar  5 21:27:37 2013
> *filter
> :INPUT ACCEPT [59:9336]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2:144]
> -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 
> -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 
> -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 
> -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 
> -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT 
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT 
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable 
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable 
> COMMIT
> # Completed on Tue Mar  5 21:27:37 2013
>
>
> On 5/03/2013, at 12:18 PM, Dwight Engen <dwight.engen at oracle.com> wrote:
>
>> On Mon, 04 Mar 2013 15:35:06 -0600
>> "cbulist at gmail.com" <cbulist at gmail.com> wrote:
>>
>>> Hi All,
>>>
>>>
>>> We have a host server running Oracle Linux
>>> (2.6.39-200.24.1.el6uek.x86_64) and We created a Oracle Linux 6.2
>>> container following Oracle's Docs
>>> (http://docs.oracle.com/cd/E37670_01/E37355/html/ol_config_os_containers.html).
>>> The installation process was OK and We did not have any problem. We
>>> are able to connect to it using lxc-console. The problem is that we
>>> don't have any connectivity to the public or private network from our
>>> container (We have just connectivity to our host IP address). Our
>>> host has full connectivity to both networks.
>>>
>>> These are the relevant network file configuration:
>>>
>>> Host info:
>>>
>>>     - ifcfg-eth0
>>>
>>> DEVICE="eth0"
>>> HWADDR=00:0C:29:1B:46:20
>>> ONBOOT=yes
>>> BRIDGE="virbr0"
>>> NM_CONTROLLED="no"
>>>
>>>     -ifcfg-virbr0
>>>
>>> DEVICE="virbr0"
>>> TYPE=Bridge
>>> BRIDGE_FORWARDDELAY=0
>>> NM_CONTROLLED="no"
>>> ONBOOT="yes"
>>> BOOTPROTO=static
>>> IPADDR=192.168.1.222
>>> NETMASK=255.255.255.0
>>> GATEWAY=192.168.1.1
>>> HWADDR=00:0C:29:1B:46:20
>>>
>>>
>>> Container info:
>>>
>>>     - ifcfg-eth0
>>>
>>> DEVICE=eth0
>>> BOOTPROTO="static"
>>> ONBOOT=yes
>>> HOSTNAME=ol6ctr1
>>> NM_CONTROLLED=no
>>> TYPE=Ethernet
>>> IPADDR=192.168.1.223
>>> HARDWARE=3E:E3:2D:8B:47:17
>>> NETMASK=255.255.255.0
>>>
>>>     -/etc/sysconfig/network
>>>
>>> NETWORKING=yes
>>> NETWORKING_IPV6=no
>>> GATEWAY=192.168.1.1
>>> HOSTNAME=ol6ctr1
>>>
>>>
>>> [root at ol6ctr1 ~]# route -n
>>> Kernel IP routing table
>>> Destination     Gateway         Genmask         Flags Metric Ref
>>> Use Iface
>>> 0.0.0.0         192.168.1.1      0.0.0.0         UG    0
>>> 0        0 eth0 192.168.1.0      0.0.0.0         255.255.255.0
>>> U     0      0        0 eth0 169.254.0.0     0.0.0.0
>>> 255.255.0.0     U     1007   0        0 eth0
>>>
>>>   -selinux: disabled
>>>   -iptables stopped
>> I believe your problem is because iptables needs to not be stopped for
>> the NAT forwarding rules to work and forward your traffic.
>>
>>> I really appreciate any help about this problem.
>>>
>>> Thanks in advance!
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_feb
>> _______________________________________________
>> Lxc-users mailing list
>> Lxc-users at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/lxc-users
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users

More information about the lxc-users mailing list