Can you try sudo iptables -P FORWARD ACCEPT and see if it helps.
Also do you know why you are disabling connection tracking in the raw table? That’s unlikely to be helping things.
I changed FORWARD to default ACCEPT
:FORWARD ACCCEPT [0:0]
Flushed entire firewall and installed new rules.
Enabled fowarding for ipv4/ipv6 in sysctl.
Restarterd snap.lxd.daemon
Restarted container.
Same issue. So strange.
conntrack is really bad for performance on the edge and prone to dos attacks. We try to do state less filtering with iptables as much as possible.
Thanks for all the help, btw.
At least I know where to look for the problem.
I will try to “revert” to pre-ipv6 rules and go backwards from there. Maybe something in between broke.
At this point I would normally start using tcpdump on both the lxdbr0 and external interfaces to check which packets are getting out and which ones are being dropped.
I don’t see how you can use stateless firewall and MASQUERADE NAT from lxdbr0 to the host’s external IP? Otherwise the return packets won’t be able to be routed back to the origin container.