Thanks for tips - works now!
I compared the tcpdump output with the working Server.
That’s from the correct Server:
13:13:19.533778 IP 10.212.9.1.67 > 10.212.9.214.68: BOOTP/DHCP, Reply, length 310
13:13:19.534763 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:6d:64:ca, length 305
13:13:19.541518 IP 10.212.9.1.67 > 10.212.9.214.68: BOOTP/DHCP, Reply, length 310
13:13:20.767207 ARP, Request who-has 10.212.9.1 tell 10.212.9.214, length 28
13:13:20.767249 ARP, Reply 10.212.9.1 is-at 00:16:3e:91:cd:7b, length 28
13:13:20.767279 IP 10.212.9.214.41036 > 10.212.9.1.53: 24844+ [1au] A? concise-owl.lxd. (44)
13:13:20.767555 IP 10.212.9.1.53 > 10.212.9.214.41036: 24844* 1/0/1 A 10.212.9.214 (60)
On the real Server was no ARP packages.
Firewalld and iptables had (also after minimal Install) rules and uones set.
After removing firewalld and dropped all iptables rules the container got IP addresses.
Output nft list ruleset
and iptables-save
:
[root@localhost ~]# nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
table bridge filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
table ip security {
chain INPUT {
type filter hook input priority 150; policy accept;
}
chain FORWARD {
type filter hook forward priority 150; policy accept;
}
chain OUTPUT {
type filter hook output priority 150; policy accept;
}
}
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
}
chain INPUT {
type filter hook input priority mangle; policy accept;
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
}
table ip6 security {
chain INPUT {
type filter hook input priority 150; policy accept;
}
chain FORWARD {
type filter hook forward priority 150; policy accept;
}
chain OUTPUT {
type filter hook output priority 150; policy accept;
}
}
table ip6 raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
table ip6 mangle {
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
}
chain INPUT {
type filter hook input priority mangle; policy accept;
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
}
table ip6 nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
}
table bridge nat {
chain PREROUTING {
type filter hook prerouting priority dstnat; policy accept;
}
chain OUTPUT {
type filter hook output priority out; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority srcnat; policy accept;
}
}
table inet firewalld {
chain raw_PREROUTING {
type filter hook prerouting priority raw + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . iif oif missing drop
jump raw_PREROUTING_ZONES
}
chain raw_PREROUTING_ZONES {
iifname "eno1" goto raw_PRE_public
goto raw_PRE_public
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_ZONES {
iifname "eno1" goto mangle_PRE_public
goto mangle_PRE_public
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
}
chain filter_INPUT_ZONES {
iifname "eno1" goto filter_IN_public
goto filter_IN_public
}
chain filter_FORWARD_IN_ZONES {
iifname "eno1" goto filter_FWDI_public
goto filter_FWDI_public
}
chain filter_FORWARD_OUT_ZONES {
oifname "eno1" goto filter_FWDO_public
goto filter_FWDO_public
}
chain raw_PRE_public {
jump raw_PRE_public_pre
jump raw_PRE_public_log
jump raw_PRE_public_deny
jump raw_PRE_public_allow
jump raw_PRE_public_post
}
chain raw_PRE_public_pre {
}
chain raw_PRE_public_log {
}
chain raw_PRE_public_deny {
}
chain raw_PRE_public_allow {
}
chain raw_PRE_public_post {
}
chain filter_IN_public {
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain filter_FWDI_public {
jump filter_FWDI_public_pre
jump filter_FWDI_public_log
jump filter_FWDI_public_deny
jump filter_FWDI_public_allow
jump filter_FWDI_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_public_pre {
}
chain filter_FWDI_public_log {
}
chain filter_FWDI_public_deny {
}
chain filter_FWDI_public_allow {
}
chain filter_FWDI_public_post {
}
chain mangle_PRE_public {
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_FWDO_public {
jump filter_FWDO_public_pre
jump filter_FWDO_public_log
jump filter_FWDO_public_deny
jump filter_FWDO_public_allow
jump filter_FWDO_public_post
}
chain filter_FWDO_public_pre {
}
chain filter_FWDO_public_log {
}
chain filter_FWDO_public_deny {
}
chain filter_FWDO_public_allow {
}
chain filter_FWDO_public_post {
}
}
table ip firewalld {
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_ZONES {
iifname "eno1" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_ZONES {
oifname "eno1" goto nat_POST_public
goto nat_POST_public
}
chain nat_PRE_public {
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain nat_POST_public {
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
chain nat_POST_public_post {
}
}
table ip6 firewalld {
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_ZONES {
iifname "eno1" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_ZONES {
oifname "eno1" goto nat_POST_public
goto nat_POST_public
}
chain nat_PRE_public {
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain nat_POST_public {
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
chain nat_POST_public_post {
}
}
table ip lxd {
chain in.lxdbr0 {
type filter hook input priority filter; policy accept;
iifname "lxdbr0" tcp dport 53 accept
iifname "lxdbr0" udp dport 53 accept
iifname "lxdbr0" udp dport 67 accept
}
chain out.lxdbr0 {
type filter hook output priority filter; policy accept;
oifname "lxdbr0" tcp sport 53 accept
oifname "lxdbr0" udp sport 53 accept
oifname "lxdbr0" udp sport 67 accept
}
chain fwd.lxdbr0 {
type filter hook forward priority filter; policy accept;
oifname "lxdbr0" accept
iifname "lxdbr0" accept
}
chain pstrt.lxdbr0 {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.103.61.0/24 ip daddr != 10.103.61.0/24 masquerade
}
}
[root@localhost ~]# iptables-save
# Generated by iptables-save v1.8.4 on Wed Oct 14 13:06:20 2020
*filter
:INPUT ACCEPT [7329:26137315]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4863:351000]
COMMIT
# Completed on Wed Oct 14 13:06:20 2020
# Generated by iptables-save v1.8.4 on Wed Oct 14 13:06:20 2020
*security
:INPUT ACCEPT [7238:26121552]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4864:351248]
COMMIT
# Completed on Wed Oct 14 13:06:20 2020
# Generated by iptables-save v1.8.4 on Wed Oct 14 13:06:20 2020
*raw
:PREROUTING ACCEPT [7330:26137891]
:OUTPUT ACCEPT [4866:351632]
COMMIT
# Completed on Wed Oct 14 13:06:20 2020
# Generated by iptables-save v1.8.4 on Wed Oct 14 13:06:20 2020
*mangle
:PREROUTING ACCEPT [7330:26137891]
:INPUT ACCEPT [7329:26137315]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4868:351992]
:POSTROUTING ACCEPT [4868:351992]
COMMIT
# Completed on Wed Oct 14 13:06:20 2020
# Generated by iptables-save v1.8.4 on Wed Oct 14 13:06:20 2020
*nat
:PREROUTING ACCEPT [94:16459]
:INPUT ACCEPT [2:120]
:POSTROUTING ACCEPT [43:2895]
:OUTPUT ACCEPT [44:2935]
COMMIT
# Completed on Wed Oct 14 13:06:20 2020
[root@localhost ~]#