[lxc-users] lxd host can not access container via domain

Benjamin Asbach lxd at impl.it
Sat Sep 2 22:36:18 UTC 2017 

On 2017-09-02 06:13, Mike Wright wrote: 

> On 09/01/2017 07:02 PM, Benjamin Asbach wrote: Hi there,
> 
> I've some problems with connecting to my containers via my public domain from the host itself. I'm using bridged network by lxc network. The setup looks like this
> 
> remote -> domain.com -> host -> container1 (nginx) -> container2 (app)
> 
> When I curl from a remote location this works quite fine:
> 
> curl https://sub.domain.com
> <html></html>%
> But when I'm doing the same from the host itself:
> 
> curl https://sub.domain.com
> curl: (7) Failed to connect to sub.domain.com port 443: Connection refused
> I'm a little bit confused why this happens. I though it might be connected to iptables. But the rules look good for me:
> 
> iptables-save
> # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017
> *nat
> :PREROUTING ACCEPT [138088:14417714]
> :INPUT ACCEPT [51357:4468554]
> :OUTPUT ACCEPT [8593:788743]
> :POSTROUTING ACCEPT [8445:711271]
> -A PREROUTING -i ens18 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.4.187:80
> -A PREROUTING -i ens18 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.4.187:443
> -A PREROUTING -i ens18 -p tcp -m tcp --dport 8022 -j DNAT --to-destination 10.0.4.116:8022
> -A POSTROUTING -s 10.0.4.0/24 ! -d 10.0.4.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
> COMMIT
> # Completed on Sat Sep 2 02:24:33 2017
> # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017
> *mangle
> :PREROUTING ACCEPT [293993:48599155]
> :INPUT ACCEPT [188065:31562883]
> :FORWARD ACCEPT [19475:7104838]
> :OUTPUT ACCEPT [124159:16994042]
> :POSTROUTING ACCEPT [147110:24355452]
> -A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill
> COMMIT
> # Completed on Sat Sep 2 02:24:33 2017
> # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017
> *filter
> :INPUT ACCEPT [449:65419]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [274:37570]
> -A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
> -A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
> -A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
> -A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
> -A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
> -A OUTPUT -o lxdbr0 -p tcp -m tcp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
> -A OUTPUT -o lxdbr0 -p udp -m udp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
> -A OUTPUT -o lxdbr0 -p udp -m udp --sport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
> COMMIT
> # Completed on Sat Sep 2 02:24:33 2017
> Might be the issue related to the bridged network or do you've any ideas what's causing the problem?!

Hi Benjamin, I'll give this a stab.

Does the host have an address on the bridge?  To test, give it one. 
If it works make sure to add iptables rules so the host only accepts
EST,REL traffic from the bridge guests (barbarians at the gates, etc).

If you don't want the host to have a bridge address you'll have to set
up some other method such as NAT like you did for traffic coming in on
ens18.

Good luck,
Mike Wright 
Hi Mike,

thanks for your reply! I checked that the adapter has an address: 

ip addr
2: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
    link/ether fe:06:96:f6:16:da brd ff:ff:ff:ff:ff:ff
    inet 10.0.4.1/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::5c98:e8ff:fe13:66e3/64 scope link 
       valid_lft forever preferred_lft forever

I tried to get some information what you've meant. But currently I'm a
little bit confused howto apply these ESTABLISHED and RELATED rules to
iptables. Do you mind if you can get a litte bit more detail in that? 

Thanks 
Benjamin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170903/b179029a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xAD7427D8.asc
Type: application/pgp-keys
Size: 3061 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170903/b179029a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170903/b179029a/attachment.sig>

More information about the lxc-users mailing list