[lxc-users] No outgoing traffic with bridged network and public IP address from container
othiman
othiman at gmx.de
Thu Sep 11 09:05:32 UTC 2014
Hi everyone,
I already posted this to askubuntu.com
(http://askubuntu.com/questions/522457/lxc-container-no-outgoing-traffic-with-bridged-network-and-public-ip-address),
but I think this might be a better place to find help.
I try to setup a LXC container with bridged network on ubuntu 14.04.1,
but the outgoing traffic seems to be blocked. Ping another IP than the
container's one is not working. Actually I tried this with a working
container of a ubuntu 12.04 host moved to new hardware and a recent
ubuntu 14.04, but the problem also applies to a new created ubuntu 14.04
container.
I should mention that if I bind the IP address to an aliasing interface
of the host directly, pinging inside and outside to the host is working
correctly.
I hope someone has an idea what I am doing wrong.
I created a the new container with:
lxc-create -t ubuntu -n ubuntu-test
This is my config file:
# Template used to create this container:
/usr/share/lxc/templates/lxc-ubuntu
# Parameters passed to the template: -r trusty
# For additional config options, please look at lxc.container.conf(5)
# Common configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
# Container specific configuration
lxc.rootfs = /var/lib/lxc/ubuntu-test/rootfs
lxc.mount = /var/lib/lxc/ubuntu-test/fstab
lxc.utsname = ubuntu-test
lxc.arch = amd64
# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 00:16:3e:6c:7c:79
lxc.network.ipv4=91.143.88.119/24
lxc.network.ipv4.gateway=91.143.88.1
lxc.network.name=eth0
My '/etc/network/interfaces' on the host:
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 81.7.15.233
netmask 255.255.255.0
broadcast 81.7.15.255
gateway 81.7.15.1
bridge_ports eth0
bridge_fd 0
bridge_stp off
bridge_waitport 0
bridge_maxwait 0
and on the client:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 91.143.88.119
netmask 255.255.255.0
broadcast 91.143.88.255
gateway 91.143.88.1
IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forward
1
'iptables-save' shows
# Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
*mangle
:PREROUTING ACCEPT [20035:4192692]
:INPUT ACCEPT [7193:3225426]
:FORWARD ACCEPT [2677:191017]
:OUTPUT ACCEPT [381:36624]
:POSTROUTING ACCEPT [3058:227641]
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill
COMMIT
# Completed on Wed Sep 10 18:26:23 2014
# Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
*nat
:PREROUTING ACCEPT [10474:819973]
:INPUT ACCEPT [282:41644]
:OUTPUT ACCEPT [7:537]
:POSTROUTING ACCEPT [57:4274]
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Sep 10 18:26:23 2014
# Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
*filter
:INPUT ACCEPT [7193:3225426]
:FORWARD ACCEPT [2677:191017]
:OUTPUT ACCEPT [381:36624]
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
COMMIT
# Completed on Wed Sep 10 18:26:23 2014
output of 'brctl show':
bridge name bridge id STP enabled interfaces
br0 8000.0025905700f8 no eth0
vethRTX30H
lxcbr0 8000.000000000000 no
My host's 'ifconfig':
br0 Link encap:Ethernet Hardware Adresse 00:25:90:57:00:f8
inet Adresse:81.7.15.233 Bcast:81.7.15.255 Maske:255.255.255.0
inet6-Adresse: fe80::225:90ff:fe57:f8/64
Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX-Pakete:128248 Fehler:0 Verloren:15 Überläufe:0 Fenster:0
TX-Pakete:3835 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX-Bytes:11076138 (11.0 MB) TX-Bytes:343557 (343.5 KB)
eth0 Link encap:Ethernet Hardware Adresse 00:25:90:57:00:f8
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX-Pakete:129421 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:4046 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX-Bytes:13510902 (13.5 MB) TX-Bytes:449527 (449.5 KB)
Interrupt:16 Speicher:fb900000-fb920000
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:65536 Metrik:1
RX-Pakete:2 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:2 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX-Bytes:176 (176.0 B) TX-Bytes:176 (176.0 B)
lxcbr0 Link encap:Ethernet Hardware Adresse ae:2c:57:c2:f0:24
inet Adresse:10.0.3.1 Bcast:10.0.3.255 Maske:255.255.255.0
inet6-Adresse: fe80::ac2c:57ff:fec2:f024/64
Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:8 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX-Bytes:0 (0.0 B) TX-Bytes:648 (648.0 B)
vethRTX30H Link encap:Ethernet Hardware Adresse fe:97:2b:8e:90:8a
inet6-Adresse: fe80::fc97:2bff:fe8e:908a/64
Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX-Pakete:39 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:14826 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX-Bytes:3282 (3.2 KB) TX-Bytes:1466740 (1.4 MB)
My container's 'ifconfig'
eth0 Link encap:Ethernet Hardware Adresse 00:16:3e:6c:7c:79
inet Adresse:91.143.88.119 Bcast:91.143.88.255
Maske:255.255.255.0
inet6-Adresse: fe80::216:3eff:fe6c:7c79/64
Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX-Pakete:20082 Fehler:0 Verloren:2 Überläufe:0 Fenster:0
TX-Pakete:40 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX-Bytes:2005479 (2.0 MB) TX-Bytes:3368 (3.3 KB)
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:65536 Metrik:1
RX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX-Bytes:0 (0.0 B) TX-Bytes:0 (0.0 B)
'tail /proc/sys/net/bridge/*' on the host
==> /proc/sys/net/bridge/bridge-nf-call-arptables <==
0
==> /proc/sys/net/bridge/bridge-nf-call-ip6tables <==
0
==> /proc/sys/net/bridge/bridge-nf-call-iptables <==
0
==> /proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged <==
0
==> /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged <==
0
==> /proc/sys/net/bridge/bridge-nf-pass-vlan-input-dev <==
0
finally 'ping 8.8.8.8' in the container:
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms
Best regards,
Thomas
More information about the lxc-users
mailing list