CentOS client - Ubuntu 18.04 container server

tkasidakis · November 19, 2020, 9:07pm

I have a VM with CentOS which has the following network interfaces.

ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:50:56:a2:f3:41  txqueuelen 1000  (Ethernet)
        RX packets 6174596  bytes 3867285859 (3.6 GiB)
        RX errors 0  dropped 8058  overruns 0  frame 0
        TX packets 1653880  bytes 152340076 (145.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens160.506: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.96.12.116  netmask 255.255.254.0  broadcast 10.96.13.255
        inet6 fe80::4b9a:8eb:9f0:1f16  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:a2:f3:41  txqueuelen 1000  (Ethernet)
        RX packets 2425053  bytes 3263227611 (3.0 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1376752  bytes 106986037 (102.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 132  bytes 11220 (10.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 132  bytes 11220 (10.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lxdbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 10.114.35.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fd42:c2c4:d681:4b22::1  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::216:3eff:fe4e:8b54  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:4e:8b:54  txqueuelen 1000  (Ethernet)
        RX packets 9466  bytes 722092 (705.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3362  bytes 450490 (439.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth621511dc: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 169.254.0.1  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::fc03:bdff:fe93:7297  prefixlen 64  scopeid 0x20<link>
        ether fe:03:bd:93:72:97  txqueuelen 1000  (Ethernet)
        RX packets 43  bytes 3591 (3.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 86  bytes 9299 (9.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:23:eb:b6  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I have there a python script which does the following


IP = "10.96.12.116"
print(IP)

service_registry = {} # Service Registry of the Fog middleware

flog=open("foglog.txt","w+")

#HelpNetPorfThread = HelpNetPorf() # Initialise the thread which helps Network Profiling
#HelpNetPorfThread.start()

sock4droneAndServices = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
sock4droneAndServices.bind((IP,5001))

command4LXD = ['sudo','lxc','exec','DetectionSvc','python3','DetectionSvc.py',"10.96.12.200",IP,str(5001),"DetectionSvc"]
subprocess.Popen(command4LXD,stdout=flog)
SvcInfoSerial , SvcIPport = sock4droneAndServices.recvfrom(1400)
SvcInfo = pickle.loads(SvcInfoSerial)
service_registry["DetectionSvc"] = SvcInfo # Save to the Service Registry, the Service Info.
print(service_registry)

Inside the container DetectionSvc which has as a baseline image an ubuntu:18.04 image. The process for the DetectionSvc.py is starting but it doesn’t return something and the
sock4droneAndServices.recvfrom(1400) stucks there forever.

Both container and the host can ping each other. Only the process inside the container can’t work.
The code of the DetectionSvc.py which runs inside the container is the presented below.

ip4DeamonSvc = sys.argv[1]
ipOfDroneMiddleware = sys.argv[2] 
port0fDroneMiddleware = sys.argv[3]
svcname = sys.argv[4] 

Daemon = Pyro4.Daemon(host=ip4DeamonSvc,port=0)
id_Svc = Daemon.register(DetectionSvc)

ServiceInfo={}
ServiceInfo["PyroID"]=id_Svc.asString()
ServiceInfo["Resident"] = 0
ServiceInfo["SvcPID"] = os.getpid()

serialServiceInfo = pickle.dumps(ServiceInfo)

sockToNE =socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
sockToNE.sendto(serialServiceInfo,(ipOfDroneMiddleware,int(port0fDroneMiddleware)))
sockToNE.close()

print(svcname + " OK ")
	
Daemon.requestLoop()

ifconfig inside the container


root@DetectionSvc:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.96.12.200  netmask 255.255.255.255  broadcast 255.255.255.255
        inet6 fe80::9c42:40ff:fe9a:4795  prefixlen 64  scopeid 0x20<link>
        ether 9e:42:40:9a:47:95  txqueuelen 1000  (Ethernet)
        RX packets 86  bytes 9299 (9.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 43  bytes 3591 (3.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 52  bytes 3824 (3.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 52  bytes 3824 (3.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I configured the DetectionSvc container using the routed way with this .yaml

config:
  user.network-config: |
    version: 2
    ethernets:
        eth0:
            addresses:
            - 10.96.12.200/32
            nameservers:
                addresses:
                - 8.8.8.8
                search: []
            routes:
            -   to: 0.0.0.0/0
                via: 169.254.0.1
                on-link: true
description: Default LXD profile
devices:
  eth0:
    ipv4.address: 10.96.12.200
    nictype: routed
    parent: ens160.506
    type: nic
name: ip200new
used_by:
- /1.0/instances/DetectionSvc

@tomp Any help here.

Since i want just communication between the host and the container i don’t believe it is necessary to use a routed profile

tomp · November 20, 2020, 9:09am

If host and container can ping each other, then I would recommend your first check is the firewall running on the LXD host and check its allowing your container to connect to the port you are trying to.

tkasidakis · November 20, 2020, 12:33pm

What are you saying is to disable at the host the firewall with

sudo iptables -t filter -F

?

tomp · November 20, 2020, 12:37pm

That would be one way to see if that is causing the problem.

Another would be to list the rules with iptables-save and see if there are any that could be causing the issue.

tkasidakis · November 20, 2020, 12:39pm

Disabling the firewall didn’t fix the issue.

[root@localhost tkasidakis]# iptables-save
# Generated by iptables-save v1.8.4 on Fri Nov 20 14:37:23 2020
*filter
:INPUT ACCEPT [3086239:3539179384]
:FORWARD ACCEPT [1144:69816]
:OUTPUT ACCEPT [1364869:87829938]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWX - [0:0]
COMMIT
# Completed on Fri Nov 20 14:37:23 2020
# Generated by iptables-save v1.8.4 on Fri Nov 20 14:37:23 2020
*security
:INPUT ACCEPT [2185387:3253404777]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1364869:87829938]
COMMIT
# Completed on Fri Nov 20 14:37:23 2020
# Generated by iptables-save v1.8.4 on Fri Nov 20 14:37:23 2020
*raw
:PREROUTING ACCEPT [3092519:3539956916]
:OUTPUT ACCEPT [1364869:87829938]
COMMIT
# Completed on Fri Nov 20 14:37:23 2020
# Generated by iptables-save v1.8.4 on Fri Nov 20 14:37:23 2020
*mangle
:PREROUTING ACCEPT [3092519:3539956916]
:INPUT ACCEPT [3086239:3539179384]
:FORWARD ACCEPT [1144:69816]
:OUTPUT ACCEPT [1364870:87830362]
:POSTROUTING ACCEPT [1366400:87942830]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Nov 20 14:37:23 2020
# Generated by iptables-save v1.8.4 on Fri Nov 20 14:37:23 2020
*nat
:PREROUTING ACCEPT [905613:286440611]
:INPUT ACCEPT [15:1112]
:POSTROUTING ACCEPT [18107:1231956]
:OUTPUT ACCEPT [18436:1253370]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Nov 20 14:37:23 2020
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

tomp · November 20, 2020, 12:41pm

Looks OK to me.

What does tcpdump run on the LXD-side host veth interface for the container show, do you see the packets arriving at the LXD host?

tkasidakis · November 20, 2020, 12:43pm

So you suggest to do tcpdump to veth621511dc. Ok i will test it now.

tomp · November 20, 2020, 12:47pm

What is this?

tkasidakis · November 20, 2020, 12:50pm

This isn’t the issue, i change it correctly to the containers IP ( 10.96.12.200)

[root@localhost ~]# sudo tcpdump -i veth32ceb5ee
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth32ceb5ee, link-type EN10MB (Ethernet), capture size 262144 bytes
14:46:09.388156 IP 10.96.12.200.45249 > localhost.localdomain.commplex-link: UDP, length 121
14:46:09.388283 IP localhost.localdomain > 10.96.12.200: ICMP host localhost.localdomain unreachable - admin prohibited filter, length 157
14:46:14.648214 ARP, Request who-has 10.96.12.200 tell localhost.localdomain, length 28
14:46:14.648344 ARP, Request who-has localhost.localdomain tell 10.96.12.200, length 28
14:46:14.648354 ARP, Reply localhost.localdomain is-at fe:e2:11:48:ba:fc (oui Unknown), length 28
14:46:14.648356 ARP, Reply 10.96.12.200 is-at f2:4a:17:9c:de:5a (oui Unknown), length 28

tkasidakis · November 20, 2020, 12:51pm

I see that something is prohibited. Is this the issue ?

tomp · November 20, 2020, 2:02pm

Yep that looks like a firewall rejecting it. Do you have any nftables rules sudo nft list ruleset

tkasidakis · November 20, 2020, 2:06pm

[root@localhost tkasidakis]# sudo nft list ruleset
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}

	chain LIBVIRT_INP {
	}

	chain LIBVIRT_OUT {
	}

	chain LIBVIRT_FWO {
	}

	chain LIBVIRT_FWI {
	}

	chain LIBVIRT_FWX {
	}
}
table ip6 filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
		counter packets 728494 bytes 88503164 jump LIBVIRT_INP
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		counter packets 0 bytes 0 jump LIBVIRT_FWX
		counter packets 0 bytes 0 jump LIBVIRT_FWI
		counter packets 0 bytes 0 jump LIBVIRT_FWO
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		counter packets 238153 bytes 26746633 jump LIBVIRT_OUT
	}

	chain LIBVIRT_INP {
	}

	chain LIBVIRT_OUT {
	}

	chain LIBVIRT_FWO {
	}

	chain LIBVIRT_FWI {
	}

	chain LIBVIRT_FWX {
	}
}
table bridge filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}
}
table ip security {
	chain INPUT {
		type filter hook input priority 150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 150; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 150; policy accept;
	}
}
table ip raw {
	chain PREROUTING {
		type filter hook prerouting priority raw; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority raw; policy accept;
	}
}
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
		counter packets 1366860 bytes 88011343 jump LIBVIRT_PRT
	}

	chain LIBVIRT_PRT {
		oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 # CHECKSUM fill
	}
}
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 18157 bytes 1235567 jump LIBVIRT_PRT
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}

	chain LIBVIRT_PRT {
		ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 388 bytes 26021 return
		ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 
		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 
		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade 
	}
}
table ip6 security {
	chain INPUT {
		type filter hook input priority 150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 150; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 150; policy accept;
	}
}
table ip6 raw {
	chain PREROUTING {
		type filter hook prerouting priority raw; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority raw; policy accept;
	}
}
table ip6 mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
		counter packets 367211 bytes 38711043 jump LIBVIRT_PRT
	}

	chain LIBVIRT_PRT {
	}
}
table ip6 nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 14845 bytes 1342095 jump LIBVIRT_PRT
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}

	chain LIBVIRT_PRT {
	}
}
table bridge nat {
	chain PREROUTING {
		type filter hook prerouting priority dstnat; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority out; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority srcnat; policy accept;
	}
}
table inet firewalld {
	ct helper helper-tftp-udp {
		type "tftp" protocol udp
		l3proto inet
	}

	chain raw_PREROUTING {
		type filter hook prerouting priority raw + 10; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . iif oif missing drop
		jump raw_PREROUTING_ZONES_SOURCE
		jump raw_PREROUTING_ZONES
	}

	chain raw_PREROUTING_ZONES_SOURCE {
	}

	chain raw_PREROUTING_ZONES {
		iifname "virbr0" goto raw_PRE_libvirt
		iifname "ens160.506" goto raw_PRE_public
		goto raw_PRE_public
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority mangle + 10; policy accept;
		jump mangle_PREROUTING_ZONES_SOURCE
		jump mangle_PREROUTING_ZONES
	}

	chain mangle_PREROUTING_ZONES_SOURCE {
	}

	chain mangle_PREROUTING_ZONES {
		iifname "virbr0" goto mangle_PRE_libvirt
		iifname "ens160.506" goto mangle_PRE_public
		goto mangle_PRE_public
	}

	chain filter_INPUT {
		type filter hook input priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		jump filter_INPUT_ZONES_SOURCE
		jump filter_INPUT_ZONES
		ct state { invalid } drop
		reject with icmpx type admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
		jump filter_FORWARD_IN_ZONES_SOURCE
		jump filter_FORWARD_IN_ZONES
		jump filter_FORWARD_OUT_ZONES_SOURCE
		jump filter_FORWARD_OUT_ZONES
		ct state { invalid } drop
		reject with icmpx type admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority filter + 10; policy accept;
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
	}

	chain filter_INPUT_ZONES_SOURCE {
	}

	chain filter_INPUT_ZONES {
		iifname "virbr0" goto filter_IN_libvirt
		iifname "ens160.506" goto filter_IN_public
		goto filter_IN_public
	}

	chain filter_FORWARD_IN_ZONES_SOURCE {
	}

	chain filter_FORWARD_IN_ZONES {
		iifname "virbr0" goto filter_FWDI_libvirt
		iifname "ens160.506" goto filter_FWDI_public
		goto filter_FWDI_public
	}

	chain filter_FORWARD_OUT_ZONES_SOURCE {
	}

	chain filter_FORWARD_OUT_ZONES {
		oifname "virbr0" goto filter_FWDO_libvirt
		oifname "ens160.506" goto filter_FWDO_public
		goto filter_FWDO_public
	}

	chain raw_PRE_public {
		jump raw_PRE_public_pre
		jump raw_PRE_public_log
		jump raw_PRE_public_deny
		jump raw_PRE_public_allow
		jump raw_PRE_public_post
	}

	chain raw_PRE_public_pre {
	}

	chain raw_PRE_public_log {
	}

	chain raw_PRE_public_deny {
	}

	chain raw_PRE_public_allow {
	}

	chain raw_PRE_public_post {
	}

	chain filter_IN_public {
		jump filter_IN_public_pre
		jump filter_IN_public_log
		jump filter_IN_public_deny
		jump filter_IN_public_allow
		jump filter_IN_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_public_pre {
	}

	chain filter_IN_public_log {
	}

	chain filter_IN_public_deny {
	}

	chain filter_IN_public_allow {
		tcp dport 22 ct state { new, untracked } accept
		ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
		tcp dport 9090 ct state { new, untracked } accept
	}

	chain filter_IN_public_post {
	}

	chain filter_FWDI_public {
		jump filter_FWDI_public_pre
		jump filter_FWDI_public_log
		jump filter_FWDI_public_deny
		jump filter_FWDI_public_allow
		jump filter_FWDI_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_FWDI_public_pre {
	}

	chain filter_FWDI_public_log {
	}

	chain filter_FWDI_public_deny {
	}

	chain filter_FWDI_public_allow {
	}

	chain filter_FWDI_public_post {
	}

	chain mangle_PRE_public {
		jump mangle_PRE_public_pre
		jump mangle_PRE_public_log
		jump mangle_PRE_public_deny
		jump mangle_PRE_public_allow
		jump mangle_PRE_public_post
	}

	chain mangle_PRE_public_pre {
	}

	chain mangle_PRE_public_log {
	}

	chain mangle_PRE_public_deny {
	}

	chain mangle_PRE_public_allow {
	}

	chain mangle_PRE_public_post {
	}

	chain filter_FWDO_public {
		jump filter_FWDO_public_pre
		jump filter_FWDO_public_log
		jump filter_FWDO_public_deny
		jump filter_FWDO_public_allow
		jump filter_FWDO_public_post
	}

	chain filter_FWDO_public_pre {
	}

	chain filter_FWDO_public_log {
	}

	chain filter_FWDO_public_deny {
	}

	chain filter_FWDO_public_allow {
	}

	chain filter_FWDO_public_post {
	}

	chain raw_PRE_libvirt {
		jump raw_PRE_libvirt_pre
		jump raw_PRE_libvirt_log
		jump raw_PRE_libvirt_deny
		jump raw_PRE_libvirt_allow
		jump raw_PRE_libvirt_post
	}

	chain raw_PRE_libvirt_pre {
	}

	chain raw_PRE_libvirt_log {
	}

	chain raw_PRE_libvirt_deny {
	}

	chain raw_PRE_libvirt_allow {
	}

	chain raw_PRE_libvirt_post {
	}

	chain filter_IN_libvirt {
		jump filter_IN_libvirt_pre
		jump filter_IN_libvirt_log
		jump filter_IN_libvirt_deny
		jump filter_IN_libvirt_allow
		jump filter_IN_libvirt_post
		accept
	}

	chain filter_IN_libvirt_pre {
	}

	chain filter_IN_libvirt_log {
	}

	chain filter_IN_libvirt_deny {
	}

	chain filter_IN_libvirt_allow {
		udp dport 67 ct state { new, untracked } accept
		udp dport 547 ct state { new, untracked } accept
		tcp dport 53 ct state { new, untracked } accept
		udp dport 53 ct state { new, untracked } accept
		tcp dport 22 ct state { new, untracked } accept
		udp dport 69 ct helper set "helper-tftp-udp"
		udp dport 69 ct state { new, untracked } accept
		meta l4proto icmp ct state { new, untracked } accept
		meta l4proto ipv6-icmp ct state { new, untracked } accept
	}

	chain filter_IN_libvirt_post {
		reject
	}

	chain mangle_PRE_libvirt {
		jump mangle_PRE_libvirt_pre
		jump mangle_PRE_libvirt_log
		jump mangle_PRE_libvirt_deny
		jump mangle_PRE_libvirt_allow
		jump mangle_PRE_libvirt_post
	}

	chain mangle_PRE_libvirt_pre {
	}

	chain mangle_PRE_libvirt_log {
	}

	chain mangle_PRE_libvirt_deny {
	}

	chain mangle_PRE_libvirt_allow {
	}

	chain mangle_PRE_libvirt_post {
	}

	chain filter_FWDI_libvirt {
		jump filter_FWDI_libvirt_pre
		jump filter_FWDI_libvirt_log
		jump filter_FWDI_libvirt_deny
		jump filter_FWDI_libvirt_allow
		jump filter_FWDI_libvirt_post
		accept
	}

	chain filter_FWDI_libvirt_pre {
	}

	chain filter_FWDI_libvirt_log {
	}

	chain filter_FWDI_libvirt_deny {
	}

	chain filter_FWDI_libvirt_allow {
	}

	chain filter_FWDI_libvirt_post {
	}

	chain filter_FWDO_libvirt {
		jump filter_FWDO_libvirt_pre
		jump filter_FWDO_libvirt_log
		jump filter_FWDO_libvirt_deny
		jump filter_FWDO_libvirt_allow
		jump filter_FWDO_libvirt_post
		accept
	}

	chain filter_FWDO_libvirt_pre {
	}

	chain filter_FWDO_libvirt_log {
	}

	chain filter_FWDO_libvirt_deny {
	}

	chain filter_FWDO_libvirt_allow {
	}

	chain filter_FWDO_libvirt_post {
	}
}
table ip firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_ZONES_SOURCE
		jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_ZONES_SOURCE {
	}

	chain nat_PREROUTING_ZONES {
		iifname "virbr0" goto nat_PRE_libvirt
		iifname "ens160.506" goto nat_PRE_public
		goto nat_PRE_public
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_ZONES_SOURCE
		jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_ZONES_SOURCE {
	}

	chain nat_POSTROUTING_ZONES {
		oifname "virbr0" goto nat_POST_libvirt
		oifname "ens160.506" goto nat_POST_public
		goto nat_POST_public
	}

	chain nat_PRE_public {
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain nat_POST_public {
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}

	chain nat_PRE_libvirt {
		jump nat_PRE_libvirt_pre
		jump nat_PRE_libvirt_log
		jump nat_PRE_libvirt_deny
		jump nat_PRE_libvirt_allow
		jump nat_PRE_libvirt_post
	}

	chain nat_PRE_libvirt_pre {
	}

	chain nat_PRE_libvirt_log {
	}

	chain nat_PRE_libvirt_deny {
	}

	chain nat_PRE_libvirt_allow {
	}

	chain nat_PRE_libvirt_post {
	}

	chain nat_POST_libvirt {
		jump nat_POST_libvirt_pre
		jump nat_POST_libvirt_log
		jump nat_POST_libvirt_deny
		jump nat_POST_libvirt_allow
		jump nat_POST_libvirt_post
	}

	chain nat_POST_libvirt_pre {
	}

	chain nat_POST_libvirt_log {
	}

	chain nat_POST_libvirt_deny {
	}

	chain nat_POST_libvirt_allow {
	}

	chain nat_POST_libvirt_post {
	}
}
table ip6 firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_ZONES_SOURCE
		jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_ZONES_SOURCE {
	}

	chain nat_PREROUTING_ZONES {
		iifname "virbr0" goto nat_PRE_libvirt
		iifname "ens160.506" goto nat_PRE_public
		goto nat_PRE_public
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_ZONES_SOURCE
		jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_ZONES_SOURCE {
	}

	chain nat_POSTROUTING_ZONES {
		oifname "virbr0" goto nat_POST_libvirt
		oifname "ens160.506" goto nat_POST_public
		goto nat_POST_public
	}

	chain nat_PRE_public {
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain nat_POST_public {
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}

	chain nat_PRE_libvirt {
		jump nat_PRE_libvirt_pre
		jump nat_PRE_libvirt_log
		jump nat_PRE_libvirt_deny
		jump nat_PRE_libvirt_allow
		jump nat_PRE_libvirt_post
	}

	chain nat_PRE_libvirt_pre {
	}

	chain nat_PRE_libvirt_log {
	}

	chain nat_PRE_libvirt_deny {
	}

	chain nat_PRE_libvirt_allow {
	}

	chain nat_PRE_libvirt_post {
	}

	chain nat_POST_libvirt {
		jump nat_POST_libvirt_pre
		jump nat_POST_libvirt_log
		jump nat_POST_libvirt_deny
		jump nat_POST_libvirt_allow
		jump nat_POST_libvirt_post
	}

	chain nat_POST_libvirt_pre {
	}

	chain nat_POST_libvirt_log {
	}

	chain nat_POST_libvirt_deny {
	}

	chain nat_POST_libvirt_allow {
	}

	chain nat_POST_libvirt_post {
	}
}

Is there a problem ?

tomp · November 20, 2020, 2:09pm

Suggest clearing those rules out using sudo nft flush ruleset (assuming you dont need them particularly) and then testing again.

tkasidakis · November 20, 2020, 2:09pm

OK OK i will test it now

tkasidakis · November 20, 2020, 2:11pm

Workeddddddddddddddddddddddddddddd !!!

Thanks a lot Thomas once again.

tomp · November 20, 2020, 2:15pm

Great, I noticed its the last line in this section that was most likely doing it:

tkasidakis:

chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
		jump filter_FORWARD_IN_ZONES_SOURCE
		jump filter_FORWARD_IN_ZONES
		jump filter_FORWARD_OUT_ZONES_SOURCE
		jump filter_FORWARD_OUT_ZONES
		ct state { invalid } drop
		reject with icmpx type admin-prohibited
	}