LXD container have no internet access (with docker)

nejiman10 · February 14, 2023, 4:02am

hello I have trouble networking.
setting:

Ubuntu 22.04
Snap package LXD
Docker version 23.0.1, build a5ee5b1
network bridge configrated with netplan

I installed docker and then no internet access from container.
I have tried this way then restart lxd. but not worked.

iptables-save (host)

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [187:60161]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-b0da2502366a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b0da2502366a -j DOCKER
-A FORWARD -i br-b0da2502366a ! -o br-b0da2502366a -j ACCEPT
-A FORWARD -i br-b0da2502366a -o br-b0da2502366a -j ACCEPT
-A DOCKER -d 172.19.0.4/32 ! -i br-b0da2502366a -o br-b0da2502366a -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-b0da2502366a ! -o br-b0da2502366a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b0da2502366a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i br0 -o enp7s0f0 -j ACCEPT
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Tue Feb 14 12:48:14 2023
# Generated by iptables-save v1.8.7 on Tue Feb 14 12:48:14 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-b0da2502366a -j MASQUERADE
-A POSTROUTING -s 172.19.0.4/32 -d 172.19.0.4/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-b0da2502366a -j RETURN
-A DOCKER ! -i br-b0da2502366a -p tcp -m tcp --dport 3000 -j DNAT --to-destination 172.19.0.4:3000
COMMIT
# Completed on Tue Feb 14 12:48:14 2023

and this is bridge profile

config: {}
description: ""
devices:
  eth0:
    name: eth1
    nictype: bridged
    parent: br0
    type: nic
  root:
    path: /
    pool: default
    type: disk
name: bridge
used_by:
- /1.0/instances/ldap

What should I do?

nejiman10 · February 14, 2023, 7:36am

I tried to edit /etc/sysctl.conf and set as net.ipv4.ip_forward=1.

Or execute sudo iptables -I DOCKER-USER -j ACCEPT.
Both ways ware workd.
But I don’t know How it works.

Why is ths command was not workd

iptables -I DOCKER-USER -i br0 -o enp7s0f0 -j ACCEPT
iptables -I DOCKER-USER -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

and this command was workd?

sudo iptables -I DOCKER-USER -j ACCEPT

tomp · February 14, 2023, 8:14am

Please show ip a and ip r on the host and container.

nejiman10 · February 14, 2023, 8:52am

This is my host

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp7s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether 00:19:99:c5:79:95 brd ff:ff:ff:ff:ff:ff
3: enp7s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:19:99:c5:79:96 brd ff:ff:ff:ff:ff:ff
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether a6:0d:78:cb:8a:a3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.14/24 brd 192.168.100.255 scope global br0
       valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:5d:85:d5:88 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: br-b0da2502366a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:61:b4:68:e7 brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-b0da2502366a
       valid_lft forever preferred_lft forever
    inet6 fe80::42:61ff:feb4:68e7/64 scope link 
       valid_lft forever preferred_lft forever
8: veth2d5cb39@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-b0da2502366a state UP group default 
    link/ether 8a:9a:a4:a3:77:41 brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::889a:a4ff:fea3:7741/64 scope link 
       valid_lft forever preferred_lft forever
10: veth2a7d907@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-b0da2502366a state UP group default 
    link/ether 3a:d7:db:ce:ed:1b brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::38d7:dbff:fece:ed1b/64 scope link 
       valid_lft forever preferred_lft forever
12: vethf4a9253@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-b0da2502366a state UP group default 
    link/ether aa:ca:24:2b:cf:3e brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::a8ca:24ff:fe2b:cf3e/64 scope link 
       valid_lft forever preferred_lft forever
13: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:4f:7c:a0 brd ff:ff:ff:ff:ff:ff
    inet 10.166.147.1/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
    inet6 fd42:c7f6:bc6f:4911::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe4f:7ca0/64 scope link 
       valid_lft forever preferred_lft forever
15: veth8ffc3159@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether 9a:21:87:c5:a0:1b brd ff:ff:ff:ff:ff:ff link-netnsid 3
17: veth2d08084d@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether 7a:63:8e:c6:22:e4 brd ff:ff:ff:ff:ff:ff link-netnsid 4
19: vethaefe69d5@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether 9a:08:ea:03:13:77 brd ff:ff:ff:ff:ff:ff link-netnsid 5
21: veth3dca007e@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether da:a8:5d:34:70:c2 brd ff:ff:ff:ff:ff:ff link-netnsid 6
23: veth4d7beeb8@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether 62:5d:af:98:84:db brd ff:ff:ff:ff:ff:ff link-netnsid 7

ip r

default via 192.168.100.1 dev br0 proto static 
10.166.147.0/24 dev lxdbr0 proto kernel scope link src 10.166.147.1 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.19.0.0/16 dev br-b0da2502366a proto kernel scope link src 172.19.0.1 
192.168.100.0/24 dev br0 proto kernel scope link src 192.168.100.14

and, Container is

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
18: eth1@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:0d:93:17 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.33/24 brd 192.168.100.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe0d:9317/64 scope link 
       valid_lft forever preferred_lft forever

ip r

192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.33

Thank you

tomp · February 14, 2023, 8:56am

Your default route goes via br0 interface, not enp7s0f0, so that part of your custom
DOCKER-USER firewall rule is incorrect I think, it should be br0 too.

nejiman10 · February 14, 2023, 11:44am

I seted all routes I could think. But does not worked.
this one,

sudo iptables -I DOCKER-USER -i eth1 -o br0 -j ACCEPT
sudo iptables -I DOCKER-USER -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

this one,

sudo iptables -I DOCKER-USER -i br0 -o enp7s0f0 -j ACCEPT
sudo iptables -I DOCKER-USER -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

and this one.

sudo iptables -I DOCKER-USER -i eth1 -o enp7s0f0 -j ACCEPT
sudo iptables -I DOCKER-USER -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT