[lxc-users] LXC NAT failing to forward

CDR venefax at gmail.com
Sat May 3 15:52:45 UTC 2014 

Dear friends
I got stuck in the simplest part.
First I tried libvirt and using the default network, whic works fine
in virtual machines
I created a Libvir-LSC container, and I can ping the host, DHCP
works,etc., but no forwarding to the network.
A pure LXC container with this network, failed.

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = virbr0
lxc.network.ipv4 = 0.0.0.0/24

Then I removed that network, undefined it, and created an empty
bridge, br0, and set up a simple iptables script. Note, I am not using
any firewall for my box, only for natting.

#!/bin/sh
iptables -F
iptables -t nat -F

iptables --table nat -o eth1 --append POSTROUTING  -s 192.168.122.0/24
-j MASQUERADE
iptables -A FORWARD -i br0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables-save

the container can ping the default gateway at 192.168.122.1, but
again, no forwarding done.

My kernel hast these configuration


sysctl -A | grep bridge

net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-filter-pppoe-tagged = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
net.bridge.bridge-nf-pass-vlan-input-dev = 0

sysctl -A | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.br0.forwarding = 1
net.ipv4.conf.br0.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.virbr0.forwarding = 1
net.ipv4.conf.virbr0.mc_forwarding = 0
net.ipv4.conf.virbr0-nic.forwarding = 1
net.ipv4.conf.virbr0-nic.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0


Can anybody point to what is happening?

Note: if in the pure LXC configuration, it works fine if  I use
lxc.network.type=macvlan
lxc.network.macvlan.mode=bridge
lxc.network.link=eth1
lxc.network.flags=up


Yours
Philip

More information about the lxc-users mailing list