Lxc doesn't forward packet from WAN to the container

I set a proxy device for a container which forward the port 443 host to port 443 container and it is working correctly. Now I try to set a proxy device with the port 8443 to another container but it doesn’t work. When I telnet the port from outside I see the traffic on the host interface but there is nothing on the container interface(with a tcpdump). When I telnet the port 8443 from the host to the ip of the container I see traffic. below the configuration :

Container KO with port 8443:

  • myport8443:*
  • connect: tcp:*
  • listen: tcp:*
  • proxy_protocol: “true”*
  • type: proxy*

Container OK with port 443:

  • connect: tcp:*
  • listen: tcp:*
  • proxy_protocol: “true”*
  • type: proxy*

command used : lxc config device add WordpressContainer myport8443 proxy listen=tcp: connect=tcp: proxy_protocol=true

thank you.

Sounds silly but;

Are you aware LXD listens on 8443 by default if enabled to listen on the network, is LXD listening on the network?

I.E on mine

me@me:/ lxc config show
  core.https_address: '[::]:8443'
  core.trust_password: true
1 Like

As @turtle0x1 suggested, its worth checking if anything is listening on that port.

Running would show this:

sudo ss -tlpn

below the output of the command :
lxc config show
config: {}
I try with port 7443 but it is the same result.

Also can you check your firewall is allowing the ports, iptables-save should show you the rules active.

I use nftables. The port 7443 is open. Maybe I can use port redirection via nftables.

Can you show the output of ss -tlpn and sudo nft list ruleset

Also can you show the output of lxc config show <instance> --expanded for the problem container.

Finally, please show the output of ip a inside the container.


Also, you would not expect to see any traffic on the container’s network interface (eth0) when using the proxy connecting to, so please also show the tcpdump command you run inside the container.

ss -tlpn
State              Recv-Q             Send-Q                                              Local Address:Port                           Peer Address:Port             Process
LISTEN             0                  128                                                                 *
LISTEN             0                  10                                                                   *
LISTEN             0                  32                                                                    *
LISTEN             0                  4096                                                              *
LISTEN             0                  128                                                                     *
LISTEN             0                  10                                                                    *
LISTEN             0                  128                                                         [::1]:6010                                   [::]:*
LISTEN             0                  4096                                                            *:8443                                      *:*
LISTEN             0                  4096                                                            *:443                                       *:*
LISTEN             0                  4096                                                            *:80                                        *:*
LISTEN             0                  4096                                                            *:7443                                      *:*
architecture: x86_64
  image.architecture: amd64
  image.description: ubuntu 20.04 LTS amd64 (release) (20200504)
  image.label: release
  image.os: ubuntu
  image.release: focal
  image.serial: "20200504"
  image.type: squashfs
  image.version: "20.04"
  volatile.base_image: 647a85725003d873f8bb9a5bd1a09bdc7fd4bcb393b2cf629f7e0edaa58f5637
  volatile.eth0.host_name: vethe4301269
  volatile.eth0.hwaddr: 00:16:3e:39:55:b8
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: RUNNING
    name: eth0
    network: lxdbr0
    type: nic
    connect: tcp:
    listen: tcp:
    proxy_protocol: "true"
    type: proxy
    connect: tcp:
    listen: tcp:
    proxy_protocol: "true"
    type: proxy
    path: /
    pool: default
    type: disk
ephemeral: false
- default
stateful: false
description: ""

I use tcpdump -i eth0 port 7443 or tcpdump -i eth0

Please can you run it as sudo ss -tlpn as I originally asked for, so I can see the process names. Thanks

 sudo ss -tlpn
State        Recv-Q       Send-Q                                  Local Address:Port             Peer Address:Port      Process
LISTEN       0            128                                       *          users:(("sshd",pid=2139910,fd=11))
LISTEN       0            10                                         *          users:(("sendmail-mta",pid=1016213,fd=5))
LISTEN       0            32                                          *          users:(("dnsmasq",pid=2004294,fd=9))
LISTEN       0            4096                                    *          users:(("systemd-resolve",pid=610,fd=13))
LISTEN       0            128                                           *          users:(("sshd",pid=738,fd=3))
LISTEN       0            10                                          *          users:(("sendmail-mta",pid=1016213,fd=4))
LISTEN       0            128                                             [::1]:6010                     [::]:*          users:(("sshd",pid=2139910,fd=10))
LISTEN       0            4096                                                *:8443                        *:*          users:(("lxd",pid=2147531,fd=8),("lxd",pid=2147531,fd=3))
LISTEN       0            4096                                                *:443                         *:*          users:(("lxd",pid=542001,fd=8),("lxd",pid=542001,fd=4))
LISTEN       0            4096                                                *:80                          *:*          users:(("lxd",pid=542092,fd=8),("lxd",pid=542092,fd=4))
LISTEN       0            4096                                                *:7443                        *:*          users:(("lxd",pid=2148474,fd=8),("lxd",pid=2148474,fd=3))
LISTEN       0            128                                              [::]:22                       [::]:*          users:(("sshd",pid=738,fd=4))
1 Like

Thanks, ive reformatted them using three backticks so they are more readable.

So LXD proxy is listening on the port.

You won’t see traffic on the container’s eth0 as the proxy device switches into the container’s network namespace and then establishes a connection to, so at most you may see traffic on the lo interface inside the container.

So we just need to see your firewall rules to check its not being blocked on the LXD host (you may still see traffic hitting the LXD host’s external interface using tcpdump and it could still be blocked by the firewall).

Also check that the service you are using inside your container is listening on (using sudo ss -tlpn inside the container).

Finally I remove the port 443 from the other container and add it the container and it works. I did that to fix a problem which has been resolved. The server is in production now and I cannot make changes to test. Thank you tomp for your help.