lxc network forward list lxdbr0
+----------------+-------------+------------------------+-------+
| LISTEN ADDRESS | DESCRIPTION | DEFAULT TARGET ADDRESS | PORTS |
+----------------+-------------+------------------------+-------+
| 65.21.191.121 | | | 5 |
+----------------+-------------+------------------------+-------+
Interesting about .179 - that’s not an allocated IP, which would explain things failing.
lxc list
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
| db | RUNNING | 10.68.0.238 (eth0) | 2a01:4f9:c012:7dfb:78c5:3af:9b47:fbaa (eth0) | CONTAINER | 0 |
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
| emoncms | RUNNING | 10.68.0.135 (eth0) | 2a01:4f9:c012:7dfb:fb5a:3cb4:83fe:1d65 (eth0) | CONTAINER | 0 |
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
| mail | RUNNING | 10.68.0.103 (eth0) | 2a01:4f9:c012:7dfb:2a0e:72e8:6687:2235 (eth0) | CONTAINER | 0 |
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
| mx | RUNNING | 10.68.0.104 (eth0) | 2a01:4f9:c012:7dfb:76c9:1422:e591:48ad (eth0) | CONTAINER | 0 |
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
| squid | RUNNING | 10.68.0.33 (eth0) | 2a01:4f9:c012:7dfb:c015:6563:6362:70f (eth0) | CONTAINER | 0 |
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
| vpn | RUNNING | 10.9.8.1 (wg0) | 2a01:4f9:c012:7dfb:c030:da81:5a3e:bb00 (eth0) | CONTAINER | 0 |
| | | 10.68.0.170 (eth0) | | | |
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
| www | RUNNING | 10.68.0.73 (eth0) | 2a01:4f9:c012:7dfb:c1d1:5420:9291:bf24 (eth0) | CONTAINER | 0 |
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
Checking for port forwards:
grep proxy_ *
mail.yaml: proxy_993:
mx.yaml: proxy_25:
mx.yaml: proxy_587:
vpn.yaml: proxy_51820:
www.yaml: proxy_80:
www.yaml: proxy_443:
All instances of containers were basically profile edited from the yaml file, then booted from that profile.
Details on the forwarding list show clearly that the wrong IP is in use.
lxc network forward show lxdbr0 65.21.191.121
description: ""
config: {}
ports:
- description: SMTP
protocol: tcp
listen_port: "25"
target_port: "25"
target_address: 10.68.0.179
- description: SMTP Submission
protocol: tcp
listen_port: "587"
target_port: "587"
target_address: 10.68.0.179
- description: SMTP Submission backup
protocol: tcp
listen_port: "588"
target_port: "588"
target_address: 10.68.0.179
- description: IMAP
protocol: tcp
listen_port: "143"
target_port: "143"
target_address: 10.68.0.103
- description: IMAPS
protocol: tcp
listen_port: "993"
target_port: "993"
target_address: 10.68.0.103
listen_address: 65.21.191.121
location: none
If I go back in my history, sure enough, lxc network forward port add lxdbr0 65.21.191.121 tcp 589 10.68.0.179 587
That must have been from before I used the proxy setup; indeed, my blog notes-to-self point out I discovered both ways of doing things (https://www.cricalix.net/2022/09/14/rebuilding-cricalix-net-part-2/), but apparently I never decided to delete all the forwards.
I’ve now edited the forwarding list, removed all the forwards.
lxc network forward list lxdbr0
+----------------+-------------+------------------------+-------+
| LISTEN ADDRESS | DESCRIPTION | DEFAULT TARGET ADDRESS | PORTS |
+----------------+-------------+------------------------+-------+
| 65.21.191.121 | | | 0 |
+----------------+-------------+------------------------+-------+
systemctl reload snap.lxd.daemon
, and
nc 65.21.191.121 25
220 ESMTP Postfix
Thank you @tomp, that was the brick to the head I needed to work out what was wrong.
Is this something that lxd should detect, if it can? Basically, “you’re assigning a proxy for a port in a profile, but you’re also forwarding on the NIC, this will end badly”?