As far as I can tell, none of the other plethora of posts necessarily helps me here - so apologies in advance if this is inadvertently a double post.
I’m running LXD and several containers on an Ubuntu 18.04 running on a VMware vSphere. I do not have access to the cloud infrastructure, so I believe some of the VMware mac address filtering issues mentioned around the place might be afflicting me? I have sudo on the VM, but it is managed above me as well.
I configured the default lxdbr0 with lxd init
, and the containers can indeed DNS resolve, but I can’t otherwise do anything (e.g. apt install - everything times out).
$ lxc network list
+--------+----------+---------+----------------+---------------------------+-------------+---------+
| NAME | TYPE | MANAGED | IPV4 | IPV6 | DESCRIPTION | USED BY |
+--------+----------+---------+----------------+---------------------------+-------------+---------+
| eth0 | physical | NO | | | | 0 |
+--------+----------+---------+----------------+---------------------------+-------------+---------+
| lxdbr0 | bridge | YES | 10.47.110.1/24 | fd42:e0b7:79dd:cf0d::1/64 | | 4 |
+--------+----------+---------+----------------+---------------------------+-------------+---------+
and
$ lxc network show lxdbr0
config:
ipv4.address: 10.47.110.1/24
ipv4.nat: "true"
ipv6.address: fd42:e0b7:79dd:cf0d::1/64
ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- [redacted]
managed: true
status: Created
locations:
- none
and
$ lxc config show --expanded [name]
architecture: x86_64
config:
boot.autostart: "1"
image.architecture: amd64
image.description: Ubuntu bionic amd64 (20201014_07:42)
image.os: Ubuntu
image.release: bionic
image.serial: "20201014_07:42"
image.type: squashfs
volatile.base_image: e081c41658861afc947610b82c67ee2f423116bfd1e8f4153f0e171b69250127
volatile.eth0.host_name: vethe88da6c8
volatile.eth0.hwaddr: 00:16:3e:e5:e2:b7
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.power: RUNNING
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
root:
path: /
pool: default
type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""
And trying to decipher my networking - using netplan, this is the only file - I see no evidence elsewhere of the bridge, although I’m definitely not experienced here, so I’m probably looking in the wrong places.
$ cat /etc/netplan/01-network-manager-all.yaml
---
network:
version: 2
renderer: NetworkManager
ethernets:
eth0:
dhcp4: true
dhcp6: true
lastly, iptables:
$ iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -f * * 0.0.0.0/0 0.0.0.0/0 /* 000 drop fragmented icmp */
7 488 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 /* 001 accept any unfragmented icmp */
1149 110K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* 002 accept all to lo interface */
0 0 REJECT all -- !lo * 0.0.0.0/0 127.0.0.0/8 /* 003 reject local traffic not on loopback interface */ reject-with icmp-port-unreachable
2094 8475K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* 005 accept related established rules */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 /* 006 allow SSH access */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 67 multiport dports 68 /* 007 allow DHCP IPv4 */
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 multiport dports 5353 /* 008 allow MULTICAST mDNS */
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 multiport dports 1900 /* 009 allow MULTICAST UPnP */
0 0 LOG_ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25 /* 800 TEST SMTP BLOCK */
37302 4400K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* 999 accept all */
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 107 packets, 656K bytes)
pkts bytes target prot opt in out source destination
Chain LOG_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 /* 100 log accept traffic */ LOG flags 0 level 6 prefix "INPUT:ACCEPT:"
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* 101 accept */
Chain LOG_DROP (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 /* 100 log drop traffic */ LOG flags 0 level 4 prefix "INPUT:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* 101 drop */
Chain RATE_LIMIT (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 25/sec burst 50 mode srcip /* 000 throttle a SYN-Flood */
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 /* 001 log DOS Attack/SYN scan */ LOG flags 0 level 6 prefix "[DOS/SYN SCAN DROPPED] "
Chain TCP_FLAGS (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 /* 000 All of the TCP flag bits are clear */
0 0 LOG_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 /* 001 TCP flags SYN and FIN both set */
0 0 LOG_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 /* 002 TCP flags SYN and RST are both set */
0 0 LOG_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05 /* 003 TCP flags FIN and RST are both set */
0 0 LOG_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 /* 004 TCP flag FIN is only bit set, without ACK */
0 0 LOG_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08 /* 005 TCP flag PSH is only bit set, without ACK */
0 0 LOG_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20 /* 006 TCP flag URG is only bit set, without ACK */
0 0 RATE_LIMIT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 /* 007 Filtering for SYN-Flood */
any help highly appreciated!
edit - from within a container:
# systemd-resolve www.archive.org
www.archive.org: 207.241.224.2
-- Information acquired via protocol DNS in 164.8ms.
-- Data is authenticated: no
# ping www.archive.org
PING www.archive.org (207.241.224.2) 56(84) bytes of data.
^C
--- www.archive.org ping statistics ---
86 packets transmitted, 0 received, 100% packet loss, time 87021ms
from host:
$ ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:86:c0:8c brd ff:ff:ff:ff:ff:ff
inet 152.83.108.53/21 brd 152.83.111.255 scope global dynamic noprefixroute eth0
valid_lft 74919sec preferred_lft 74919sec
inet6 2405:b000:601:17::108:53/128 scope global dynamic noprefixroute
valid_lft 85723sec preferred_lft 85723sec
inet6 fe80::250:56ff:fe86:c08c/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:16:3e:48:61:0d brd ff:ff:ff:ff:ff:ff
inet 10.47.110.1/24 scope global lxdbr0
valid_lft forever preferred_lft forever
inet6 fd42:e0b7:79dd:cf0d::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe48:610d/64 scope link
valid_lft forever preferred_lft forever
5: vethe88da6c8@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
link/ether 0a:ce:dc:5a:e4:2e brd ff:ff:ff:ff:ff:ff link-netnsid 0
7: veth398aedb4@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
link/ether 7a:61:88:12:57:23 brd ff:ff:ff:ff:ff:ff link-netnsid 1
9: veth59e7fa37@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
link/ether 4e:c6:d7:f0:5c:ec brd ff:ff:ff:ff:ff:ff link-netnsid 2