[lxc-users] Packets are FORWARDed to wrong NICs

david.trenton at clovermail.net david.trenton at clovermail.net
Sun Jun 24 16:38:49 UTC 2018 

Hello,

I have made some observations, which I am not sure if that is how it  
is supposed
to work or if the result is related to LXC. I would appreciate it if  
you could have a look at it.

I have the following LXC setup:
Physical host:
eth0 physical device on host, IP: 192.168.1.10
lxcbr0 virtual bridge on host, IP: 192.168.2.1

LXC containers:
machineA:
NIC: vethA0, IP: 192.168.2.200
NIC: vethA1, IP: 192.168.9.10
Gateway: 192.168.2.1

machineB:
NIC: vethB0, IP: 192.168.9.100
Gateway: 192.168.9.10

Neither of the containers does any filtering or routing, in fact, they  
do not even have iptables installed.

The host has the following iptables rules set:
iptables -A FORWARD -i lxcbr0 -o eth0 -j ACCEPT
iptables -A FORWARD -o lxcbr0 -i eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I will ping three addresses from machineB and monitor the network  
interfaces with tcpdump.

First I issue
# ping 192.168.9.10
PING 192.168.9.10 ...
64 bytes ...

I can see the traffic from
192.168.9.100 > 192.168.9.10

on vethA1 and vethB1 only, as one would expect.

However, when issue
# ping 192.168.2.200
PING 192.168.2.200 ...
64 bytes ...

then again, I can see the traffic from
192.168.9.100 > 192.168.2.200

on vethA1 and vethB1 only. There is generally no traffic on vethA0,  
the NIC that has the target address.
Just once I saw a stray packet of the ping on vethA0, out of at least  
a dozen sent.

My first question:
Why does vethA1 see and answer the traffic that is directed at the IP  
of vethA0? Remember, the containers
do not have iptables installed, so did not issue any forwarding filter  
rules in the containers that might
explain it.

The other problem that I have is when I try to ping 'outside', e.g., 8.8.8.8:
# ping 8.8.8.8

I do not get a reply. I do, however, see the unanswered traffic from
192.168.9.100 > 8.8.8.8

on all three virtual NICs. On the physical NIC on the host I can see  
the MASQUERADEd AND answered requests:
192.168.9.10 > 8.8.8.8
8.8.8.8 > 192.168.9.10
8.8.8.8 > 192.168.9.100

This is the other problem that I do not quite understand. Why is this  
request forwarded by the
hosts iptables rule but the previous two are not?

More importantly, why is the request MASQUERADEd but the echo reply  
does not arrive at machineB?


Thank you for your time.




-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!

More information about the lxc-users mailing list