[lxc-users] lxd host can not access container via domain
Mike Wright
nobody at nospam.hostisimo.com
Sat Sep 2 04:13:50 UTC 2017
On 09/01/2017 07:02 PM, Benjamin Asbach wrote:
> Hi there,
>
> I've some problems with connecting to my containers via my public domain
> from the host itself. I'm using bridged network by lxc network. The
> setup looks like this
>
> remote -> domain.com -> host -> container1 (nginx) -> container2 (app)
>
> When I curl from a remote location this works quite fine:
>
>> curl https://sub.domain.com
>> <html></html>%
>>
> But when I'm doing the same from the host itself:
>
>> curl https://sub.domain.com
>> curl: (7) Failed to connect to sub.domain.com port 443: Connection refused
>>
> I'm a little bit confused why this happens. I though it might be
> connected to iptables. But the rules look good for me:
>
>> iptables-save
>> # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017
>> *nat
>> :PREROUTING ACCEPT [138088:14417714]
>> :INPUT ACCEPT [51357:4468554]
>> :OUTPUT ACCEPT [8593:788743]
>> :POSTROUTING ACCEPT [8445:711271]
>> -A PREROUTING -i ens18 -p tcp -m tcp --dport 80 -j DNAT
>> --to-destination 10.0.4.187:80
>> -A PREROUTING -i ens18 -p tcp -m tcp --dport 443 -j DNAT
>> --to-destination 10.0.4.187:443
>> -A PREROUTING -i ens18 -p tcp -m tcp --dport 8022 -j DNAT
>> --to-destination 10.0.4.116:8022
>> -A POSTROUTING -s 10.0.4.0/24 ! -d 10.0.4.0/24 -m comment --comment
>> "generated for LXD network lxdbr0" -j MASQUERADE
>> COMMIT
>> # Completed on Sat Sep 2 02:24:33 2017
>> # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017
>> *mangle
>> :PREROUTING ACCEPT [293993:48599155]
>> :INPUT ACCEPT [188065:31562883]
>> :FORWARD ACCEPT [19475:7104838]
>> :OUTPUT ACCEPT [124159:16994042]
>> :POSTROUTING ACCEPT [147110:24355452]
>> -A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment
>> "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill
>> COMMIT
>> # Completed on Sat Sep 2 02:24:33 2017
>> # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017
>> *filter
>> :INPUT ACCEPT [449:65419]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [274:37570]
>> -A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment
>> "generated for LXD network lxdbr0" -j ACCEPT
>> -A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment
>> "generated for LXD network lxdbr0" -j ACCEPT
>> -A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment
>> "generated for LXD network lxdbr0" -j ACCEPT
>> -A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network
>> lxdbr0" -j ACCEPT
>> -A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network
>> lxdbr0" -j ACCEPT
>> -A OUTPUT -o lxdbr0 -p tcp -m tcp --sport 53 -m comment --comment
>> "generated for LXD network lxdbr0" -j ACCEPT
>> -A OUTPUT -o lxdbr0 -p udp -m udp --sport 53 -m comment --comment
>> "generated for LXD network lxdbr0" -j ACCEPT
>> -A OUTPUT -o lxdbr0 -p udp -m udp --sport 67 -m comment --comment
>> "generated for LXD network lxdbr0" -j ACCEPT
>> COMMIT
>> # Completed on Sat Sep 2 02:24:33 2017
>>
> Might be the issue related to the bridged network or do you've any ideas
> what's causing the problem?!
Hi Benjamin, I'll give this a stab.
Does the host have an address on the bridge? To test, give it one. If
it works make sure to add iptables rules so the host only accepts
EST,REL traffic from the bridge guests (barbarians at the gates, etc).
If you don't want the host to have a bridge address you'll have to set
up some other method such as NAT like you did for traffic coming in on
ens18.
Good luck,
Mike Wright
More information about the lxc-users
mailing list