IPv4 is always missing

LXD
1

I have spent sometime reading posts related with IPv4 not showing up. I tried to follow the posts executing the commands and analyzing the outputs.

I am using openSUSE.

I installed lxd and used sudo lxd init using all default values.

I tested with alpine/3.15 and ubuntu/21.10 in containers.

I also tested with alpine/3.15 in a virtual machine.

Every time I run sudo lxc list appears IP only for IPv6.

I have docker installed. I disabled the docker.service and rebooted. I have no idea if it helps.

I am using lxd version 4.21.

kandy@localhost:~> sudo iptables-save
# Generated by iptables-save v1.8.7 on Sun Mar 20 02:55:51 2022
*nat
:PREROUTING ACCEPT [380:124332]
:INPUT ACCEPT [1:84]
:OUTPUT ACCEPT [5571:968055]
:POSTROUTING ACCEPT [5571:968055]
COMMIT
# Completed on Sun Mar 20 02:55:51 2022
# Generated by iptables-save v1.8.7 on Sun Mar 20 02:55:51 2022
*mangle
:PREROUTING ACCEPT [207193:276480809]
:INPUT ACCEPT [207192:276480233]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [126317:16562190]
:POSTROUTING ACCEPT [126350:16568079]
COMMIT
# Completed on Sun Mar 20 02:55:51 2022
# Generated by iptables-save v1.8.7 on Sun Mar 20 02:55:51 2022
*raw
:PREROUTING ACCEPT [207193:276480809]
:OUTPUT ACCEPT [126317:16562190]
COMMIT
# Completed on Sun Mar 20 02:55:51 2022
# Generated by iptables-save v1.8.7 on Sun Mar 20 02:55:51 2022
*security
:INPUT ACCEPT [206781:276350672]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [126317:16562190]
COMMIT
# Completed on Sun Mar 20 02:55:51 2022
# Generated by iptables-save v1.8.7 on Sun Mar 20 02:55:51 2022
*filter
:INPUT ACCEPT [207192:276480233]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [126317:16562190]
COMMIT
# Completed on Sun Mar 20 02:55:51 2022

kandy@localhost:~> sudo nft list ruleset
table inet firewalld {
        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
                jump mangle_PREROUTING_ZONES
        }

        chain mangle_PREROUTING_POLICIES_pre {
                jump mangle_PRE_policy_allow-host-ipv6
        }

        chain mangle_PREROUTING_ZONES {
                iifname "veth89adb666" goto mangle_PRE_public
                iifname "veth2e557173" goto mangle_PRE_public
                iifname "veth576f5bd1" goto mangle_PRE_public
                iifname "wlp2s0" goto mangle_PRE_public
                iifname "docker0" goto mangle_PRE_docker
                goto mangle_PRE_public
        }

        chain mangle_PREROUTING_POLICIES_post {
        }

        chain nat_PREROUTING {
                type nat hook prerouting priority dstnat + 10; policy accept;
                jump nat_PREROUTING_ZONES
        }

        chain nat_PREROUTING_POLICIES_pre {
                jump nat_PRE_policy_allow-host-ipv6
        }

        chain nat_PREROUTING_ZONES {
                iifname "veth89adb666" goto nat_PRE_public
                iifname "veth2e557173" goto nat_PRE_public
                iifname "veth576f5bd1" goto nat_PRE_public
                iifname "wlp2s0" goto nat_PRE_public
                iifname "docker0" goto nat_PRE_docker
                goto nat_PRE_public
        }

        chain nat_PREROUTING_POLICIES_post {
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority srcnat + 10; policy accept;
                jump nat_POSTROUTING_ZONES
        }

        chain nat_POSTROUTING_POLICIES_pre {
        }

        chain nat_POSTROUTING_ZONES {
                oifname "veth89adb666" goto nat_POST_public
                oifname "veth2e557173" goto nat_POST_public
                oifname "veth576f5bd1" goto nat_POST_public
                oifname "wlp2s0" goto nat_POST_public
                oifname "docker0" goto nat_POST_docker
                goto nat_POST_public
        }

        chain nat_POSTROUTING_POLICIES_post {
        }

        chain nat_OUTPUT {
                type nat hook output priority -90; policy accept;
                jump nat_OUTPUT_POLICIES_pre
                jump nat_OUTPUT_POLICIES_post
        }

        chain nat_OUTPUT_POLICIES_pre {
        }

        chain nat_OUTPUT_POLICIES_post {
        }

        chain filter_PREROUTING {
                type filter hook prerouting priority filter + 10; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . mark . iif oif missing drop
        }

        chain filter_INPUT {
                type filter hook input priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                jump filter_INPUT_ZONES
                ct state invalid drop
                reject with icmpx admin-prohibited
        }

        chain filter_FORWARD {
                type filter hook forward priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
                jump filter_FORWARD_ZONES
                ct state invalid drop
                reject with icmpx admin-prohibited
        }

        chain filter_OUTPUT {
                type filter hook output priority filter + 10; policy accept;
                ct state { established, related } accept
                oifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
                jump filter_OUTPUT_POLICIES_pre
                jump filter_OUTPUT_POLICIES_post
        }

        chain filter_INPUT_POLICIES_pre {
                jump filter_IN_policy_allow-host-ipv6
        }

        chain filter_INPUT_ZONES {
                iifname "veth89adb666" goto filter_IN_public
                iifname "veth2e557173" goto filter_IN_public
                iifname "veth576f5bd1" goto filter_IN_public
                iifname "wlp2s0" goto filter_IN_public
                iifname "docker0" goto filter_IN_docker
                goto filter_IN_public
        }

        chain filter_INPUT_POLICIES_post {
        }

        chain filter_FORWARD_POLICIES_pre {
        }

        chain filter_FORWARD_ZONES {
                iifname "veth89adb666" goto filter_FWD_public
                iifname "veth2e557173" goto filter_FWD_public
                iifname "veth576f5bd1" goto filter_FWD_public
                iifname "wlp2s0" goto filter_FWD_public
                iifname "docker0" goto filter_FWD_docker
                goto filter_FWD_public
        }

        chain filter_FORWARD_POLICIES_post {
        }

        chain filter_OUTPUT_POLICIES_pre {
        }

        chain filter_OUTPUT_POLICIES_post {
        }

        chain filter_IN_docker {
                jump filter_INPUT_POLICIES_pre
                jump filter_IN_docker_pre
                jump filter_IN_docker_log
                jump filter_IN_docker_deny
                jump filter_IN_docker_allow
                jump filter_IN_docker_post
                jump filter_INPUT_POLICIES_post
                accept
        }

        chain filter_IN_docker_pre {
        }

        chain filter_IN_docker_log {
        }

        chain filter_IN_docker_deny {
        }

        chain filter_IN_docker_allow {
        }

        chain filter_IN_docker_post {
        }

        chain nat_POST_docker {
                jump nat_POSTROUTING_POLICIES_pre
                jump nat_POST_docker_pre
                jump nat_POST_docker_log
                jump nat_POST_docker_deny
                jump nat_POST_docker_allow
                jump nat_POST_docker_post
                jump nat_POSTROUTING_POLICIES_post
        }

        chain nat_POST_docker_pre {
        }

        chain nat_POST_docker_log {
        }

        chain nat_POST_docker_deny {
        }

        chain nat_POST_docker_allow {
        }

        chain nat_POST_docker_post {
        }

        chain filter_FWD_docker {
                jump filter_FORWARD_POLICIES_pre
                jump filter_FWD_docker_pre
                jump filter_FWD_docker_log
                jump filter_FWD_docker_deny
                jump filter_FWD_docker_allow
                jump filter_FWD_docker_post
                jump filter_FORWARD_POLICIES_post
                accept
        }

        chain filter_FWD_docker_pre {
        }

        chain filter_FWD_docker_log {
        }

        chain filter_FWD_docker_deny {
        }

        chain filter_FWD_docker_allow {
        }

        chain filter_FWD_docker_post {
        }

        chain nat_PRE_docker {
                jump nat_PREROUTING_POLICIES_pre
                jump nat_PRE_docker_pre
                jump nat_PRE_docker_log
                jump nat_PRE_docker_deny
                jump nat_PRE_docker_allow
                jump nat_PRE_docker_post
                jump nat_PREROUTING_POLICIES_post
        }

        chain nat_PRE_docker_pre {
        }

        chain nat_PRE_docker_log {
        }

        chain nat_PRE_docker_deny {
        }

        chain nat_PRE_docker_allow {
        }

        chain nat_PRE_docker_post {
        }

        chain mangle_PRE_docker {
                jump mangle_PREROUTING_POLICIES_pre
                jump mangle_PRE_docker_pre
                jump mangle_PRE_docker_log
                jump mangle_PRE_docker_deny
                jump mangle_PRE_docker_allow
                jump mangle_PRE_docker_post
                jump mangle_PREROUTING_POLICIES_post
        }

        chain mangle_PRE_docker_pre {
        }

        chain mangle_PRE_docker_log {
        }

        chain mangle_PRE_docker_deny {
        }

        chain mangle_PRE_docker_allow {
        }

        chain mangle_PRE_docker_post {
        }

        chain filter_IN_public {
                jump filter_INPUT_POLICIES_pre
                jump filter_IN_public_pre
                jump filter_IN_public_log
                jump filter_IN_public_deny
                jump filter_IN_public_allow
                jump filter_IN_public_post
                jump filter_INPUT_POLICIES_post
                meta l4proto { icmp, ipv6-icmp } accept
                reject with icmpx admin-prohibited
        }

        chain filter_IN_public_pre {
        }

        chain filter_IN_public_log {
        }

        chain filter_IN_public_deny {
        }

        chain filter_IN_public_allow {
                ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
        }

        chain filter_IN_public_post {
        }

        chain nat_POST_public {
                jump nat_POSTROUTING_POLICIES_pre
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
                jump nat_POSTROUTING_POLICIES_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain filter_FWD_public {
                jump filter_FORWARD_POLICIES_pre
                jump filter_FWD_public_pre
                jump filter_FWD_public_log
                jump filter_FWD_public_deny
                jump filter_FWD_public_allow
                jump filter_FWD_public_post
                jump filter_FORWARD_POLICIES_post
                reject with icmpx admin-prohibited
        }

        chain filter_FWD_public_pre {
        }

        chain filter_FWD_public_log {
        }

        chain filter_FWD_public_deny {
        }

        chain filter_FWD_public_allow {
                oifname "wlp2s0" accept
                oifname "veth576f5bd1" accept
                oifname "veth2e557173" accept
                oifname "veth89adb666" accept
        }

        chain filter_FWD_public_post {
        }

        chain nat_PRE_public {
                jump nat_PREROUTING_POLICIES_pre
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
                jump nat_PREROUTING_POLICIES_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain mangle_PRE_public {
                jump mangle_PREROUTING_POLICIES_pre
                jump mangle_PRE_public_pre
                jump mangle_PRE_public_log
                jump mangle_PRE_public_deny
                jump mangle_PRE_public_allow
                jump mangle_PRE_public_post
                jump mangle_PREROUTING_POLICIES_post
        }

        chain mangle_PRE_public_pre {
        }

        chain mangle_PRE_public_log {
        }

        chain mangle_PRE_public_deny {
        }

        chain mangle_PRE_public_allow {
        }

        chain mangle_PRE_public_post {
        }

        chain filter_IN_policy_allow-host-ipv6 {
                jump filter_IN_policy_allow-host-ipv6_pre
                jump filter_IN_policy_allow-host-ipv6_log
                jump filter_IN_policy_allow-host-ipv6_deny
                jump filter_IN_policy_allow-host-ipv6_allow
                jump filter_IN_policy_allow-host-ipv6_post
        }

        chain filter_IN_policy_allow-host-ipv6_pre {
        }

        chain filter_IN_policy_allow-host-ipv6_log {
        }

        chain filter_IN_policy_allow-host-ipv6_deny {
        }

        chain filter_IN_policy_allow-host-ipv6_allow {
                icmpv6 type nd-neighbor-advert accept
                icmpv6 type nd-neighbor-solicit accept
                icmpv6 type nd-router-advert accept
                icmpv6 type nd-redirect accept
        }

        chain filter_IN_policy_allow-host-ipv6_post {
        }

        chain nat_PRE_policy_allow-host-ipv6 {
                jump nat_PRE_policy_allow-host-ipv6_pre
                jump nat_PRE_policy_allow-host-ipv6_log
                jump nat_PRE_policy_allow-host-ipv6_deny
                jump nat_PRE_policy_allow-host-ipv6_allow
                jump nat_PRE_policy_allow-host-ipv6_post
        }

        chain nat_PRE_policy_allow-host-ipv6_pre {
        }

        chain nat_PRE_policy_allow-host-ipv6_log {
        }

        chain nat_PRE_policy_allow-host-ipv6_deny {
        }

        chain nat_PRE_policy_allow-host-ipv6_allow {
        }

        chain nat_PRE_policy_allow-host-ipv6_post {
        }

        chain mangle_PRE_policy_allow-host-ipv6 {
                jump mangle_PRE_policy_allow-host-ipv6_pre
                jump mangle_PRE_policy_allow-host-ipv6_log
                jump mangle_PRE_policy_allow-host-ipv6_deny
                jump mangle_PRE_policy_allow-host-ipv6_allow
                jump mangle_PRE_policy_allow-host-ipv6_post
        }

        chain mangle_PRE_policy_allow-host-ipv6_pre {
        }

        chain mangle_PRE_policy_allow-host-ipv6_log {
        }

        chain mangle_PRE_policy_allow-host-ipv6_deny {
        }

        chain mangle_PRE_policy_allow-host-ipv6_allow {
        }

        chain mangle_PRE_policy_allow-host-ipv6_post {
        }
}
table inet lxd {
        chain pstrt.lxdbr0 {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.104.210.0/24 ip daddr != 10.104.210.0/24 masquerade
                ip6 saddr fd42:5102:68a4:3ab0::/64 ip6 daddr != fd42:5102:68a4:3ab0::/64 masquerade
        }

        chain fwd.lxdbr0 {
                type filter hook forward priority filter; policy accept;
                ip version 4 oifname "lxdbr0" accept
                ip version 4 iifname "lxdbr0" accept
                ip6 version 6 oifname "lxdbr0" accept
                ip6 version 6 iifname "lxdbr0" accept
        }

        chain in.lxdbr0 {
                type filter hook input priority filter; policy accept;
                iifname "lxdbr0" tcp dport 53 accept
                iifname "lxdbr0" udp dport 53 accept
                iifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
                iifname "lxdbr0" udp dport 67 accept
                iifname "lxdbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
                iifname "lxdbr0" udp dport 547 accept
        }

        chain out.lxdbr0 {
                type filter hook output priority filter; policy accept;
                oifname "lxdbr0" tcp sport 53 accept
                oifname "lxdbr0" udp sport 53 accept
                oifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
                oifname "lxdbr0" udp sport 67 accept
                oifname "lxdbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
                oifname "lxdbr0" udp sport 547 accept
        }
}

kandy@localhost:~> sudo ss -ulpn
State       Recv-Q      Send-Q                               Local Address:Port             Peer Address:Port      Process
UNCONN      0           0                                     10.104.210.1:53                    0.0.0.0:*          users:(("dnsmasq",pid=8653,fd=8))
UNCONN      0           0                                   0.0.0.0%lxdbr0:67                    0.0.0.0:*          users:(("dnsmasq",pid=8653,fd=4))
UNCONN      0           0                                          0.0.0.0:68                    0.0.0.0:*          users:(("dhclient",pid=2002,fd=6))
UNCONN      0           0                                          0.0.0.0:59422                 0.0.0.0:*          users:(("avahi-daemon",pid=649,fd=13))
UNCONN      0           0                                          0.0.0.0:36415                 0.0.0.0:*          users:(("firefox",pid=3587,fd=166))
UNCONN      0           0                                          0.0.0.0:45388                 0.0.0.0:*          users:(("firefox",pid=3587,fd=205))
UNCONN      0           0                                          0.0.0.0:5353                  0.0.0.0:*          users:(("avahi-daemon",pid=649,fd=11))
UNCONN      0           0                         [fd42:5102:68a4:3ab0::1]:53                       [::]:*          users:(("dnsmasq",pid=8653,fd=12))
UNCONN      0           0                [fe80::216:3eff:fe42:664e]%lxdbr0:53                       [::]:*          users:(("dnsmasq",pid=8653,fd=10))
UNCONN      0           0                                      [::]%lxdbr0:547                      [::]:*          users:(("dnsmasq",pid=8653,fd=6))
UNCONN      0           0                                             [::]:5353                     [::]:*          users:(("avahi-daemon",pid=649,fd=12))
UNCONN      0           0                                             [::]:55977                    [::]:*          users:(("avahi-daemon",pid=649,fd=14))

kandy@localhost:~> sudo lxc network show lxdbr0
config:
  ipv4.address: 10.104.210.1/24
  ipv4.firewall: "True"
  ipv4.nat: "true"
  ipv6.address: fd42:5102:68a4:3ab0::1/64
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/alpi
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

kandy@localhost:~> ps aux | grep dnsmasq
nobody    8653  0.0  0.0  14836  5876 ?        Ss   02:18   0:00 dnsmasq --keep-in-foreground --strict-order --bind-interfaces --except-interface=lo --pid-file= --no-ping --interface=lxdbr0 --dhcp-rapid-commit --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.104.210.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/lib/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/lib/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.104.210.2,10.104.210.254,1h --listen-address=fd42:5102:68a4:3ab0::1 --enable-ra --dhcp-range ::,constructor:lxdbr0,ra-stateless,ra-names -s lxd --interface-name _gateway.lxd,lxdbr0 -S /lxd/ --conf-file=/var/lib/lxd/networks/lxdbr0/dnsmasq.raw -u nobody -g lxd
kandy    12854  0.0  0.0   6624  2236 pts/2    S+   03:01   0:00 grep --color=auto dnsmasq

kandy@localhost:~> sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 209K packets, 277M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 129K packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               destination

kandy@localhost:~> sudo lxc info | grep 'firewall:'
  firewall: nftables

Thank you very much.

2

Hi,

Basically the problem is with your nftables ruleset having default drop rules in INPUT and FORWARD that are also blocking LXD’s nftables rules:

reject with icmpx admin-prohibited

Please see this thread for more info:

3

Hi @tomp ,

Even though I have executed ufw commands, I am still unable to get IPv4 for containers.

kandy@localhost:~> sudo ufw allow in on lxdbr0
Skipping adding existing rule
Skipping adding existing rule (v6)
kandy@localhost:~> sudo ufw route allow in on lxdbr0
Skipping adding existing rule
Skipping adding existing rule (v6)

kandy@localhost:~> sudo lxc launch images:alpine/3.15 alpi
Creating alpi
Starting alpi
kandy@localhost:~> sudo lxc list
+------+---------+------+----------------------------------------------+-----------+-----------+
| NAME |  STATE  | IPV4 |                     IPV6                     |   TYPE    | SNAPSHOTS |
+------+---------+------+----------------------------------------------+-----------+-----------+
| alpi | RUNNING |      | fd42:5102:68a4:3ab0:216:3eff:fe35:a04 (eth0) | CONTAINER | 0         |
+------+---------+------+----------------------------------------------+-----------+-----------+

Am I missing something?

Thank you.

4

Please show output of sudo nft list ruleset and sudo iptables-save

5

I have nftables installed, but there is not an executable for that. Perhaps nft works?

kandy@localhost:~> sudo nft list ruleset
table inet firewalld {
        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
                jump mangle_PREROUTING_ZONES
        }

        chain mangle_PREROUTING_POLICIES_pre {
                jump mangle_PRE_policy_allow-host-ipv6
        }

        chain mangle_PREROUTING_ZONES {
                iifname "wlp2s0" goto mangle_PRE_public
                iifname "docker0" goto mangle_PRE_docker
                goto mangle_PRE_public
        }

        chain mangle_PREROUTING_POLICIES_post {
        }

        chain nat_PREROUTING {
                type nat hook prerouting priority dstnat + 10; policy accept;
                jump nat_PREROUTING_ZONES
        }

        chain nat_PREROUTING_POLICIES_pre {
                jump nat_PRE_policy_allow-host-ipv6
        }

        chain nat_PREROUTING_ZONES {
                iifname "wlp2s0" goto nat_PRE_public
                iifname "docker0" goto nat_PRE_docker
                goto nat_PRE_public
        }

        chain nat_PREROUTING_POLICIES_post {
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority srcnat + 10; policy accept;
                jump nat_POSTROUTING_ZONES
        }

        chain nat_POSTROUTING_POLICIES_pre {
        }

        chain nat_POSTROUTING_ZONES {
                oifname "wlp2s0" goto nat_POST_public
                oifname "docker0" goto nat_POST_docker
                goto nat_POST_public
        }

        chain nat_POSTROUTING_POLICIES_post {
        }

        chain nat_OUTPUT {
                type nat hook output priority -90; policy accept;
                jump nat_OUTPUT_POLICIES_pre
                jump nat_OUTPUT_POLICIES_post
        }

        chain nat_OUTPUT_POLICIES_pre {
        }

        chain nat_OUTPUT_POLICIES_post {
        }

        chain filter_PREROUTING {
                type filter hook prerouting priority filter + 10; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . mark . iif oif missing drop
        }

        chain filter_INPUT {
                type filter hook input priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                jump filter_INPUT_ZONES
                ct state invalid drop
                reject with icmpx admin-prohibited
        }

        chain filter_FORWARD {
                type filter hook forward priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
                jump filter_FORWARD_ZONES
                ct state invalid drop
                reject with icmpx admin-prohibited
        }

        chain filter_OUTPUT {
                type filter hook output priority filter + 10; policy accept;
                ct state { established, related } accept
                oifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
                jump filter_OUTPUT_POLICIES_pre
                jump filter_OUTPUT_POLICIES_post
        }

        chain filter_INPUT_POLICIES_pre {
                jump filter_IN_policy_allow-host-ipv6
        }

        chain filter_INPUT_ZONES {
                iifname "wlp2s0" goto filter_IN_public
                iifname "docker0" goto filter_IN_docker
                goto filter_IN_public
        }

        chain filter_INPUT_POLICIES_post {
        }

        chain filter_FORWARD_POLICIES_pre {
        }

        chain filter_FORWARD_ZONES {
                iifname "wlp2s0" goto filter_FWD_public
                iifname "docker0" goto filter_FWD_docker
                goto filter_FWD_public
        }

        chain filter_FORWARD_POLICIES_post {
        }

        chain filter_OUTPUT_POLICIES_pre {
        }

        chain filter_OUTPUT_POLICIES_post {
        }

        chain filter_IN_docker {
                jump filter_INPUT_POLICIES_pre
                jump filter_IN_docker_pre
                jump filter_IN_docker_log
                jump filter_IN_docker_deny
                jump filter_IN_docker_allow
                jump filter_IN_docker_post
                jump filter_INPUT_POLICIES_post
                accept
        }

        chain filter_IN_docker_pre {
        }

        chain filter_IN_docker_log {
        }

        chain filter_IN_docker_deny {
        }

        chain filter_IN_docker_allow {
        }

        chain filter_IN_docker_post {
        }

        chain nat_POST_docker {
                jump nat_POSTROUTING_POLICIES_pre
                jump nat_POST_docker_pre
                jump nat_POST_docker_log
                jump nat_POST_docker_deny
                jump nat_POST_docker_allow
                jump nat_POST_docker_post
                jump nat_POSTROUTING_POLICIES_post
        }

        chain nat_POST_docker_pre {
        }

        chain nat_POST_docker_log {
        }

        chain nat_POST_docker_deny {
        }

        chain nat_POST_docker_allow {
        }

        chain nat_POST_docker_post {
        }

        chain filter_FWD_docker {
                jump filter_FORWARD_POLICIES_pre
                jump filter_FWD_docker_pre
                jump filter_FWD_docker_log
                jump filter_FWD_docker_deny
                jump filter_FWD_docker_allow
                jump filter_FWD_docker_post
                jump filter_FORWARD_POLICIES_post
                accept
        }

        chain filter_FWD_docker_pre {
        }

        chain filter_FWD_docker_log {
        }

        chain filter_FWD_docker_deny {
        }

        chain filter_FWD_docker_allow {
        }

        chain filter_FWD_docker_post {
        }

        chain nat_PRE_docker {
                jump nat_PREROUTING_POLICIES_pre
                jump nat_PRE_docker_pre
                jump nat_PRE_docker_log
                jump nat_PRE_docker_deny
                jump nat_PRE_docker_allow
                jump nat_PRE_docker_post
                jump nat_PREROUTING_POLICIES_post
        }

        chain nat_PRE_docker_pre {
        }

        chain nat_PRE_docker_log {
        }

        chain nat_PRE_docker_deny {
        }

        chain nat_PRE_docker_allow {
        }

        chain nat_PRE_docker_post {
        }

        chain mangle_PRE_docker {
                jump mangle_PREROUTING_POLICIES_pre
                jump mangle_PRE_docker_pre
                jump mangle_PRE_docker_log
                jump mangle_PRE_docker_deny
                jump mangle_PRE_docker_allow
                jump mangle_PRE_docker_post
                jump mangle_PREROUTING_POLICIES_post
        }

        chain mangle_PRE_docker_pre {
        }

        chain mangle_PRE_docker_log {
        }

        chain mangle_PRE_docker_deny {
        }

        chain mangle_PRE_docker_allow {
        }

        chain mangle_PRE_docker_post {
        }

        chain filter_IN_public {
                jump filter_INPUT_POLICIES_pre
                jump filter_IN_public_pre
                jump filter_IN_public_log
                jump filter_IN_public_deny
                jump filter_IN_public_allow
                jump filter_IN_public_post
                jump filter_INPUT_POLICIES_post
                meta l4proto { icmp, ipv6-icmp } accept
                reject with icmpx admin-prohibited
        }

        chain filter_IN_public_pre {
        }

        chain filter_IN_public_log {
        }

        chain filter_IN_public_deny {
        }

        chain filter_IN_public_allow {
                ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
        }

        chain filter_IN_public_post {
        }

        chain nat_POST_public {
                jump nat_POSTROUTING_POLICIES_pre
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
                jump nat_POSTROUTING_POLICIES_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain filter_FWD_public {
                jump filter_FORWARD_POLICIES_pre
                jump filter_FWD_public_pre
                jump filter_FWD_public_log
                jump filter_FWD_public_deny
                jump filter_FWD_public_allow
                jump filter_FWD_public_post
                jump filter_FORWARD_POLICIES_post
                reject with icmpx admin-prohibited
        }

        chain filter_FWD_public_pre {
        }

        chain filter_FWD_public_log {
        }

        chain filter_FWD_public_deny {
        }

        chain filter_FWD_public_allow {
                oifname "wlp2s0" accept
        }

        chain filter_FWD_public_post {
        }

        chain nat_PRE_public {
                jump nat_PREROUTING_POLICIES_pre
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
                jump nat_PREROUTING_POLICIES_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain mangle_PRE_public {
                jump mangle_PREROUTING_POLICIES_pre
                jump mangle_PRE_public_pre
                jump mangle_PRE_public_log
                jump mangle_PRE_public_deny
                jump mangle_PRE_public_allow
                jump mangle_PRE_public_post
                jump mangle_PREROUTING_POLICIES_post
        }

        chain mangle_PRE_public_pre {
        }

        chain mangle_PRE_public_log {
        }

        chain mangle_PRE_public_deny {
        }

        chain mangle_PRE_public_allow {
        }

        chain mangle_PRE_public_post {
        }

        chain filter_IN_policy_allow-host-ipv6 {
                jump filter_IN_policy_allow-host-ipv6_pre
                jump filter_IN_policy_allow-host-ipv6_log
                jump filter_IN_policy_allow-host-ipv6_deny
                jump filter_IN_policy_allow-host-ipv6_allow
                jump filter_IN_policy_allow-host-ipv6_post
        }

        chain filter_IN_policy_allow-host-ipv6_pre {
        }

        chain filter_IN_policy_allow-host-ipv6_log {
        }

        chain filter_IN_policy_allow-host-ipv6_deny {
        }

        chain filter_IN_policy_allow-host-ipv6_allow {
                icmpv6 type nd-neighbor-advert accept
                icmpv6 type nd-neighbor-solicit accept
                icmpv6 type nd-router-advert accept
                icmpv6 type nd-redirect accept
        }

        chain filter_IN_policy_allow-host-ipv6_post {
        }

        chain nat_PRE_policy_allow-host-ipv6 {
                jump nat_PRE_policy_allow-host-ipv6_pre
                jump nat_PRE_policy_allow-host-ipv6_log
                jump nat_PRE_policy_allow-host-ipv6_deny
                jump nat_PRE_policy_allow-host-ipv6_allow
                jump nat_PRE_policy_allow-host-ipv6_post
        }

        chain nat_PRE_policy_allow-host-ipv6_pre {
        }

        chain nat_PRE_policy_allow-host-ipv6_log {
        }

        chain nat_PRE_policy_allow-host-ipv6_deny {
        }

        chain nat_PRE_policy_allow-host-ipv6_allow {
        }

        chain nat_PRE_policy_allow-host-ipv6_post {
        }

        chain mangle_PRE_policy_allow-host-ipv6 {
                jump mangle_PRE_policy_allow-host-ipv6_pre
                jump mangle_PRE_policy_allow-host-ipv6_log
                jump mangle_PRE_policy_allow-host-ipv6_deny
                jump mangle_PRE_policy_allow-host-ipv6_allow
                jump mangle_PRE_policy_allow-host-ipv6_post
        }

        chain mangle_PRE_policy_allow-host-ipv6_pre {
        }

        chain mangle_PRE_policy_allow-host-ipv6_log {
        }

        chain mangle_PRE_policy_allow-host-ipv6_deny {
        }

        chain mangle_PRE_policy_allow-host-ipv6_allow {
        }

        chain mangle_PRE_policy_allow-host-ipv6_post {
        }
}

kandy@localhost:~> sudo iptables-save
# Generated by iptables-save v1.8.7 on Tue Mar 22 09:10:34 2022
*nat
:PREROUTING ACCEPT [3:1021]
:INPUT ACCEPT [1:84]
:OUTPUT ACCEPT [1712:302168]
:POSTROUTING ACCEPT [1712:302168]
COMMIT
# Completed on Tue Mar 22 09:10:34 2022
# Generated by iptables-save v1.8.7 on Tue Mar 22 09:10:34 2022
*mangle
:PREROUTING ACCEPT [28667:24737290]
:INPUT ACCEPT [28666:24736714]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22635:4504966]
:POSTROUTING ACCEPT [22641:4506310]
COMMIT
# Completed on Tue Mar 22 09:10:34 2022
# Generated by iptables-save v1.8.7 on Tue Mar 22 09:10:34 2022
*raw
:PREROUTING ACCEPT [28667:24737290]
:OUTPUT ACCEPT [22635:4504966]
COMMIT
# Completed on Tue Mar 22 09:10:34 2022
# Generated by iptables-save v1.8.7 on Tue Mar 22 09:10:34 2022
*security
:INPUT ACCEPT [28659:24735009]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22635:4504966]
COMMIT
# Completed on Tue Mar 22 09:10:34 2022
# Generated by iptables-save v1.8.7 on Tue Mar 22 09:10:34 2022
*filter
:INPUT ACCEPT [28666:24736714]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22635:4504966]
COMMIT
# Completed on Tue Mar 22 09:10:34 2022

Thank you.

6

It looks like you’re using firewalld rather than ufw though.