Cannot Ping Yahoo from container!


#1

Ok, I was able to ping yahoo from inside a container, but for some unknown reason, I can no longer?
I can ping the gateway 10.106.37.1 from both the host and the container.
I can ping the container from the host.
I can ping the host from the container.

My host:
root@localhost:~# ifconfig
eth0 Link encap:Ethernet HWaddr f2:3c:91:f9:5e:e7
inet addr:23.239.31.177 Bcast:23.239.31.255 Mask:255.255.255.0
inet6 addr: fe80::f03c:91ff:fef9:5ee7/64 Scope:Link
inet6 addr: 2600:3c00::f03c:91ff:fef9:5ee7/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19093279 errors:0 dropped:0 overruns:0 frame:0
TX packets:12073525 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19984405020 (19.9 GB) TX bytes:2653527344 (2.6 GB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:162152 errors:0 dropped:0 overruns:0 frame:0
TX packets:162152 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3212520995 (3.2 GB) TX bytes:3212520995 (3.2 GB)

lxdbr0 Link encap:Ethernet HWaddr fe:76:6f:ad:d7:78
inet addr:10.106.37.1 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fd42:2cd3:7080:38c::1/64 Scope:Global
inet6 addr: fe80::f42f:f8ff:fe33:35be/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9730858 errors:0 dropped:0 overruns:0 frame:0
TX packets:9818314 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2097728833 (2.0 GB) TX bytes:15989361099 (15.9 GB)

My container:
root@LPC1:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:8e:af:1b
inet addr:10.106.37.94 Bcast:10.106.37.255 Mask:255.255.255.0
inet6 addr: fd42:2cd3:7080:38c:216:3eff:fe8e:af1b/64 Scope:Global
inet6 addr: fe80::216:3eff:fe8e:af1b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4969 errors:0 dropped:0 overruns:0 frame:0
TX packets:3942 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16536191 (16.5 MB) TX bytes:352818 (352.8 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1008 (1.0 KB) TX bytes:1008 (1.0 KB)

Any ideas?

Ray


#2

does it work if you do a dig of yahoo inside your host or whatever computer connected to the net and use the numerical IP address to ping from inside the container, that is something like
ping 98.137.246.8


#3

ping 98.138.219.231 works from the host but not from the container.


#4

It may be

  • a route problem, is routing enabled on the host ?

or

  • a masquerading problem, what gives on the host:

sudo iptables -L -t nat | grep MASQ

you should have a line with
/* generated for LXD network lxdbr0 */
at the end with the LXD network masqueraded

  • a firewall problem on the host; that’s a bit more difficult to debug if firewall logging is not enabled. I’d use tcpdump to look at lxdbr0 from the host, and then on the host interface if the proper packets are seen on lxdbr0. If the packets from the containers are seen on the host interface
    sudo tcpdump -n -i eth0 host 98.138.219.231
    and you do a ping -c 1 98.138.219.231 from the container, you should see the packet with the source address of your host (else masquerading do not work)

#5

mmmm, I seem to recall I used to see that but it’s gone now? I get nothing back from that command?

How would I insert that?

Ray


#6

that’s not normal that it got lost. Normally stopping and starting the LXD service (sudo snap stop lxd if you use the snap version) should recreate the rule … unless nat has been disabled in the LXD config (lxc network show lxdbr0)


#7

I was playing with iptables a week or so ago so I may have caused it.
What is snap?

Ray


#8

snap is the new packaging method promoted by Ubuntu (www.snapcraft.io). Unless you compile LXD yourself from source or use a distro compiling LXD on its own (there are not many, maybe none but Gentoo), snap is the only way to get a recent LXD version (beyond stable)


#9

Thanks for your help with this. Apparently I inadvertently removed the iptable rules. I restarted lxd and now I can ping yahoo from within the container.