Containers don't have internet access (CentOS)

Hello,

I installed LXD 3.17 from snap on CentOS 7.6
Created bridge using LXC.

lxc network show juke-bridge
config:
  ipv4.address: 10.219.0.1/16
  ipv4.nat: "true"
  ipv6.address: none
description: ""
name: juke-bridge
type: bridge
used_by:
- /1.0/containers/ct
managed: true
status: Created
locations:
- none

Container config

lxc config show web
architecture: x86_64
config:
  boot.autostart: "true"
  image.architecture: x86_64
  image.description: centos 7 x86_64 (default) (20180502_02:16)
  image.name: centos-7-x86_64-default-20180502_02:16
  image.os: centos
  image.release: "7"
  image.variant: default
  security.privileged: "true"
  volatile.base_image: 8e2cc5be18e94dee8f806b557adfba554756c3c5a4d719230b5031e0d37deab1
  volatile.eth0.host_name: veth2ecc91d1
  volatile.eth0.hwaddr: 00:16:3e:9f:67:75
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.current: '[]'
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
devices:
  devtcp22:
    connect: tcp:127.0.0.1:22
    listen: tcp:0.0.0.0:2227
    type: proxy
  eth0:
    ipv4.address: 10.219.0.8
    nictype: bridged
    parent: juke-bridge
    type: nic
ephemeral: false
profiles:
- juke
stateful: false
description: ""

I added juke-bridge to juke profile

I have internet access from the host. But inside the container I don’t have it I even can’t ping the gateway (10.127.0.1)

On host:

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:29:f9:ee brd ff:ff:ff:ff:ff:ff
    inet 10.127.4.101/16 brd 10.127.255.255 scope global ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe29:f9ee/64 scope link
       valid_lft forever preferred_lft forever
4: juke-bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 0e:50:dd:6d:a4:11 brd ff:ff:ff:ff:ff:ff
    inet 10.219.0.1/16 scope global juke-bridge
       valid_lft forever preferred_lft forever
    inet6 fe80::9c74:1fff:fe01:1ae/64 scope link
       valid_lft forever preferred_lft forever

ip route show
default via 10.127.0.1 dev ens32
10.127.0.0/16 dev ens32 proto kernel scope link src 10.127.4.101
10.219.0.0/16 dev juke-bridge proto kernel scope link src 10.219.0.1
169.254.0.0/16 dev ens32 scope link metric 1002

In container

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
25: eth0@if26: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:9f:67:75 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.219.0.8/16 brd 10.219.255.255 scope global dynamic eth0
       valid_lft 2715sec preferred_lft 2715sec
    inet6 fe80::216:3eff:fe9f:6775/64 scope link
       valid_lft forever preferred_lft forever

 ip route show
default via 10.219.0.1 dev eth0
10.219.0.0/16 dev eth0 proto kernel scope link src 10.219.0.8
169.254.0.0/16 dev eth0 scope link metric 1025

What I’m missing?
Thanks.

It seems I found out the issue. CentOS doesn’t persist nat rules made by lxd. After reboot they are gone. I’ll do it manually and will post if it works.

This is expected, the Nat rules should be added by lxd when it starts. Can you show the iptables rules on a fresh boot after lxd has started please.