[lxc-users] No outgoing traffic with bridged network and public IP address from container
othiman
othiman at gmx.de
Thu Sep 11 11:06:09 UTC 2014
Hi,
binding the 91.143.88.119 address to an aliasing interface of the host
(br0:0) directly, pinging inside and outside to the host is working
correctly.
Thomas
On 11.09.2014 13:01, Tamas Papp wrote:
> hi,
>
> Is it allowed by your provider?
>
> tamas
>
> On 09/11/2014 12:46 PM, othiman wrote:
>> Hi Andreas, hi tamas,
>>
>> thanks for your fast answers. I removed the IP settings from the
>> config, but that was obviously not the problem.
>>
>> I cannot ping the gateway from inside of the container:
>> ubuntu at ubuntu-test:~$ ping 91.143.88.1
>> PING 91.143.88.1 (91.143.88.1) 56(84) bytes of data.
>> ^C
>> --- 91.143.88.1 ping statistics ---
>> 4 packets transmitted, 0 received, 100% packet loss, time 3023ms
>>
>> Meanwhile I used "tcpdump -i eth0 -v icmp -n" on the host to look at
>> the ICMP packets (because there is a lot of other traffic on that
>> device).
>>
>> tcpdump: WARNING: eth0: no IPv4 address assigned
>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
>> 65535 bytes
>> 11:46:27.181917 IP (tos 0x0, ttl 244, id 28226, offset 0, flags
>> [none], proto ICMP (1), length 84)
>> 176.227.209.42 > 81.7.14.108: ICMP echo request, id 263, seq
>> 31682, length 64
>> 11:46:27.401801 IP (tos 0x0, ttl 64, id 48628, offset 0, flags [DF],
>> proto ICMP (1), length 84)
>> 91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 1,
>> length 64
>> 11:46:28.409373 IP (tos 0x0, ttl 64, id 48629, offset 0, flags [DF],
>> proto ICMP (1), length 84)
>> 91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 2,
>> length 64
>> 11:46:29.417370 IP (tos 0x0, ttl 64, id 48630, offset 0, flags [DF],
>> proto ICMP (1), length 84)
>> 91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 3,
>> length 64
>> 11:46:30.425366 IP (tos 0x0, ttl 64, id 48631, offset 0, flags [DF],
>> proto ICMP (1), length 84)
>> 91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 4,
>> length 64
>> 11:46:31.383279 IP (tos 0x0, ttl 244, id 29380, offset 0, flags
>> [none], proto ICMP (1), length 84)
>> 176.227.209.42 > 81.7.14.108: ICMP echo request, id 263, seq
>> 32673, length 64
>> ^C
>> 6 packets captured
>> 6 packets received by filter
>> 0 packets dropped by kernel
>>
>>
>> So it looks like the packets are going out, but there is no answer
>> coming back. So I tried Andreas hint. I called (in the container)
>>
>> ubuntu at ubuntu-test:~$ sudo ./arping -I eth0 -u 91.143.88.119 -c4
>> ARPING 91.143.88.119
>>
>> --- 91.143.88.119 statistics ---
>> 4 packets transmitted, 0 packets received, 100% unanswered (0 extra)
>>
>> But still no answers from the gateway :-(
>>
>> Best regards,
>> Thomas
>>
>> On 11.09.2014 11:20, Andreas Laut wrote:
>>> We face this problem very often.
>>>
>>> You can try to ping the Host IP and after that the gateway IP from
>>> inside the container.
>>> If that doesn't work you'll have to send arpings from inside the
>>> conainter:
>>> arping -I [lxc-interfacename] -U 91.143.88.119 -c4 (arping from
>>> iputils
>>> package)
>>>
>>> After that you'll get the following output:
>>> Sent 4 probes (4 broadcast(s))
>>> Received 0 response(s)
>>>
>>> 0 responses are ok. Try to ping again.
>>> Hope that helps.
>>>
>>> Best Regards
>>>
>>>
>>>
>>> Am 11.09.2014 um 11:05 schrieb othiman:
>>>> Hi everyone,
>>>>
>>>> I already posted this to askubuntu.com
>>>> (http://askubuntu.com/questions/522457/lxc-container-no-outgoing-traffic-with-bridged-network-and-public-ip-address),
>>>>
>>>> but I think this might be a better place to find help.
>>>>
>>>> I try to setup a LXC container with bridged network on ubuntu 14.04.1,
>>>> but the outgoing traffic seems to be blocked. Ping another IP than the
>>>> container's one is not working. Actually I tried this with a working
>>>> container of a ubuntu 12.04 host moved to new hardware and a recent
>>>> ubuntu 14.04, but the problem also applies to a new created ubuntu
>>>> 14.04 container.
>>>>
>>>> I should mention that if I bind the IP address to an aliasing
>>>> interface of the host directly, pinging inside and outside to the host
>>>> is working correctly.
>>>>
>>>> I hope someone has an idea what I am doing wrong.
>>>>
>>>>
>>>> I created a the new container with:
>>>> lxc-create -t ubuntu -n ubuntu-test
>>>>
>>>>
>>>> This is my config file:
>>>> # Template used to create this container:
>>>> /usr/share/lxc/templates/lxc-ubuntu
>>>> # Parameters passed to the template: -r trusty
>>>> # For additional config options, please look at
>>>> lxc.container.conf(5)
>>>>
>>>> # Common configuration
>>>> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
>>>>
>>>> # Container specific configuration
>>>> lxc.rootfs = /var/lib/lxc/ubuntu-test/rootfs
>>>> lxc.mount = /var/lib/lxc/ubuntu-test/fstab
>>>> lxc.utsname = ubuntu-test
>>>> lxc.arch = amd64
>>>>
>>>> # Network configuration
>>>> lxc.network.type = veth
>>>> lxc.network.flags = up
>>>> lxc.network.link = br0
>>>> lxc.network.hwaddr = 00:16:3e:6c:7c:79
>>>> lxc.network.ipv4=91.143.88.119/24
>>>> lxc.network.ipv4.gateway=91.143.88.1
>>>> lxc.network.name=eth0
>>>>
>>>>
>>>> My '/etc/network/interfaces' on the host:
>>>> auto lo
>>>> iface lo inet loopback
>>>>
>>>> auto br0
>>>> iface br0 inet static
>>>> address 81.7.15.233
>>>> netmask 255.255.255.0
>>>> broadcast 81.7.15.255
>>>> gateway 81.7.15.1
>>>> bridge_ports eth0
>>>> bridge_fd 0
>>>> bridge_stp off
>>>> bridge_waitport 0
>>>> bridge_maxwait 0
>>>>
>>>>
>>>> and on the client:
>>>> auto lo
>>>> iface lo inet loopback
>>>>
>>>> auto eth0
>>>> iface eth0 inet static
>>>> address 91.143.88.119
>>>> netmask 255.255.255.0
>>>> broadcast 91.143.88.255
>>>> gateway 91.143.88.1
>>>>
>>>>
>>>> IP forwarding is enabled:
>>>> cat /proc/sys/net/ipv4/ip_forward
>>>> 1
>>>>
>>>>
>>>> 'iptables-save' shows
>>>> # Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
>>>> *mangle
>>>> :PREROUTING ACCEPT [20035:4192692]
>>>> :INPUT ACCEPT [7193:3225426]
>>>> :FORWARD ACCEPT [2677:191017]
>>>> :OUTPUT ACCEPT [381:36624]
>>>> :POSTROUTING ACCEPT [3058:227641]
>>>> -A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM
>>>> --checksum-fill
>>>> COMMIT
>>>> # Completed on Wed Sep 10 18:26:23 2014
>>>> # Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
>>>> *nat
>>>> :PREROUTING ACCEPT [10474:819973]
>>>> :INPUT ACCEPT [282:41644]
>>>> :OUTPUT ACCEPT [7:537]
>>>> :POSTROUTING ACCEPT [57:4274]
>>>> -A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
>>>> COMMIT
>>>> # Completed on Wed Sep 10 18:26:23 2014
>>>> # Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
>>>> *filter
>>>> :INPUT ACCEPT [7193:3225426]
>>>> :FORWARD ACCEPT [2677:191017]
>>>> :OUTPUT ACCEPT [381:36624]
>>>> -A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
>>>> -A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
>>>> -A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
>>>> -A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
>>>> -A FORWARD -o lxcbr0 -j ACCEPT
>>>> -A FORWARD -i lxcbr0 -j ACCEPT
>>>> COMMIT
>>>> # Completed on Wed Sep 10 18:26:23 2014
>>>>
>>>>
>>>> output of 'brctl show':
>>>> bridge name bridge id STP enabled interfaces
>>>> br0 8000.0025905700f8 no eth0
>>>> vethRTX30H
>>>> lxcbr0 8000.000000000000 no
>>>>
>>>>
>>>> My host's 'ifconfig':
>>>> br0 Link encap:Ethernet Hardware Adresse 00:25:90:57:00:f8
>>>> inet Adresse:81.7.15.233 Bcast:81.7.15.255
>>>> Maske:255.255.255.0
>>>> inet6-Adresse: fe80::225:90ff:fe57:f8/64
>>>> Gültigkeitsbereich:Verbindung
>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
>>>> RX-Pakete:128248 Fehler:0 Verloren:15 Überläufe:0 Fenster:0
>>>> TX-Pakete:3835 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>>>> Kollisionen:0 Sendewarteschlangenlänge:0
>>>> RX-Bytes:11076138 (11.0 MB) TX-Bytes:343557 (343.5 KB)
>>>>
>>>> eth0 Link encap:Ethernet Hardware Adresse 00:25:90:57:00:f8
>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
>>>> RX-Pakete:129421 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
>>>> TX-Pakete:4046 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>>>> Kollisionen:0 Sendewarteschlangenlänge:1000
>>>> RX-Bytes:13510902 (13.5 MB) TX-Bytes:449527 (449.5 KB)
>>>> Interrupt:16 Speicher:fb900000-fb920000
>>>>
>>>> lo Link encap:Lokale Schleife
>>>> inet Adresse:127.0.0.1 Maske:255.0.0.0
>>>> inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
>>>> UP LOOPBACK RUNNING MTU:65536 Metrik:1
>>>> RX-Pakete:2 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
>>>> TX-Pakete:2 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>>>> Kollisionen:0 Sendewarteschlangenlänge:0
>>>> RX-Bytes:176 (176.0 B) TX-Bytes:176 (176.0 B)
>>>>
>>>> lxcbr0 Link encap:Ethernet Hardware Adresse ae:2c:57:c2:f0:24
>>>> inet Adresse:10.0.3.1 Bcast:10.0.3.255 Maske:255.255.255.0
>>>> inet6-Adresse: fe80::ac2c:57ff:fec2:f024/64
>>>> Gültigkeitsbereich:Verbindung
>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
>>>> RX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
>>>> TX-Pakete:8 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>>>> Kollisionen:0 Sendewarteschlangenlänge:0
>>>> RX-Bytes:0 (0.0 B) TX-Bytes:648 (648.0 B)
>>>>
>>>> vethRTX30H Link encap:Ethernet Hardware Adresse
>>>> fe:97:2b:8e:90:8a
>>>> inet6-Adresse: fe80::fc97:2bff:fe8e:908a/64
>>>> Gültigkeitsbereich:Verbindung
>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
>>>> RX-Pakete:39 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
>>>> TX-Pakete:14826 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>>>> Kollisionen:0 Sendewarteschlangenlänge:1000
>>>> RX-Bytes:3282 (3.2 KB) TX-Bytes:1466740 (1.4 MB)
>>>>
>>>>
>>>> My container's 'ifconfig'
>>>> eth0 Link encap:Ethernet Hardware Adresse 00:16:3e:6c:7c:79
>>>> inet Adresse:91.143.88.119 Bcast:91.143.88.255
>>>> Maske:255.255.255.0
>>>> inet6-Adresse: fe80::216:3eff:fe6c:7c79/64
>>>> Gültigkeitsbereich:Verbindung
>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
>>>> RX-Pakete:20082 Fehler:0 Verloren:2 Überläufe:0 Fenster:0
>>>> TX-Pakete:40 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>>>> Kollisionen:0 Sendewarteschlangenlänge:1000
>>>> RX-Bytes:2005479 (2.0 MB) TX-Bytes:3368 (3.3 KB)
>>>>
>>>> lo Link encap:Lokale Schleife
>>>> inet Adresse:127.0.0.1 Maske:255.0.0.0
>>>> inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
>>>> UP LOOPBACK RUNNING MTU:65536 Metrik:1
>>>> RX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
>>>> TX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>>>> Kollisionen:0 Sendewarteschlangenlänge:0
>>>> RX-Bytes:0 (0.0 B) TX-Bytes:0 (0.0 B)
>>>>
>>>>
>>>> 'tail /proc/sys/net/bridge/*' on the host
>>>> ==> /proc/sys/net/bridge/bridge-nf-call-arptables <==
>>>> 0
>>>>
>>>> ==> /proc/sys/net/bridge/bridge-nf-call-ip6tables <==
>>>> 0
>>>>
>>>> ==> /proc/sys/net/bridge/bridge-nf-call-iptables <==
>>>> 0
>>>>
>>>> ==> /proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged <==
>>>> 0
>>>>
>>>> ==> /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged <==
>>>> 0
>>>>
>>>> ==> /proc/sys/net/bridge/bridge-nf-pass-vlan-input-dev <==
>>>> 0
>>>>
>>>>
>>>> finally 'ping 8.8.8.8' in the container:
>>>> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
>>>> ^C
>>>> --- 8.8.8.8 ping statistics ---
>>>> 3 packets transmitted, 0 received, 100% packet loss, time 2015ms
>>>>
>>>> Best regards,
>>>> Thomas
>>>> _______________________________________________
>>>> lxc-users mailing list
>>>> lxc-users at lists.linuxcontainers.org
>>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list