[lxc-users] Packets are FORWARDed to wrong NICs
david.trenton at clovermail.net
david.trenton at clovermail.net
Sun Jun 24 16:38:49 UTC 2018
Hello,
I have made some observations, which I am not sure if that is how it
is supposed
to work or if the result is related to LXC. I would appreciate it if
you could have a look at it.
I have the following LXC setup:
Physical host:
eth0 physical device on host, IP: 192.168.1.10
lxcbr0 virtual bridge on host, IP: 192.168.2.1
LXC containers:
machineA:
NIC: vethA0, IP: 192.168.2.200
NIC: vethA1, IP: 192.168.9.10
Gateway: 192.168.2.1
machineB:
NIC: vethB0, IP: 192.168.9.100
Gateway: 192.168.9.10
Neither of the containers does any filtering or routing, in fact, they
do not even have iptables installed.
The host has the following iptables rules set:
iptables -A FORWARD -i lxcbr0 -o eth0 -j ACCEPT
iptables -A FORWARD -o lxcbr0 -i eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I will ping three addresses from machineB and monitor the network
interfaces with tcpdump.
First I issue
# ping 192.168.9.10
PING 192.168.9.10 ...
64 bytes ...
I can see the traffic from
192.168.9.100 > 192.168.9.10
on vethA1 and vethB1 only, as one would expect.
However, when issue
# ping 192.168.2.200
PING 192.168.2.200 ...
64 bytes ...
then again, I can see the traffic from
192.168.9.100 > 192.168.2.200
on vethA1 and vethB1 only. There is generally no traffic on vethA0,
the NIC that has the target address.
Just once I saw a stray packet of the ping on vethA0, out of at least
a dozen sent.
My first question:
Why does vethA1 see and answer the traffic that is directed at the IP
of vethA0? Remember, the containers
do not have iptables installed, so did not issue any forwarding filter
rules in the containers that might
explain it.
The other problem that I have is when I try to ping 'outside', e.g., 8.8.8.8:
# ping 8.8.8.8
I do not get a reply. I do, however, see the unanswered traffic from
192.168.9.100 > 8.8.8.8
on all three virtual NICs. On the physical NIC on the host I can see
the MASQUERADEd AND answered requests:
192.168.9.10 > 8.8.8.8
8.8.8.8 > 192.168.9.10
8.8.8.8 > 192.168.9.100
This is the other problem that I do not quite understand. Why is this
request forwarded by the
hosts iptables rule but the previous two are not?
More importantly, why is the request MASQUERADEd but the echo reply
does not arrive at machineB?
Thank you for your time.
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
More information about the lxc-users
mailing list