No internet access from container (as root)

arthur · July 7, 2020, 4:48am

I cannot resolve an issue with internet access from container. Can you help me please? I use lxd 4.3.
From my container:

# ping 8.8.8.8 - doesn't work
# ping <host ip> - works

tried with containers on CentOS 7 and Ubuntu 18, same issue. It’s interresting, that one of containers (where I added proxy device, and mapped user) I can access internet as non-root user. (though all containers use same default profile, and lxbr0).

Host os: Ubuntu 20.04
One of container’s internal IP - 10.0.200.133.

Commands on host:

lxc config show os1 --expanded

architecture: x86_64
config:
  image.architecture: amd64
  image.description: Centos 7 amd64 (20200703_07:08)
  image.os: Centos
  image.release: "7"
  image.serial: "20200703_07:08"
  image.type: squashfs
  raw.idmap: both 1000 1000
  volatile.base_image: ef84015078407f31c1db169344742b7062deb465189a5a3ec186e9d1e0cb4185
  volatile.eth0.host_name: vetha95bafd5
  volatile.eth0.hwaddr: 00:16:3e:af:11:df
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1000,"Nsid":1000,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":1001001,"Nsid":1001,"Maprange":999998999},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1000,"Nsid":1000,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1001001,"Nsid":1001,"Maprange":999998999}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1000,"Nsid":1000,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":1001001,"Nsid":1001,"Maprange":999998999},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1000,"Nsid":1000,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1001001,"Nsid":1001,"Maprange":999998999}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1000,"Nsid":1000,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":1001001,"Nsid":1001,"Maprange":999998999},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1000,"Nsid":1000,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1001001,"Nsid":1001,"Maprange":999998999}]'
  volatile.last_state.power: RUNNING
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

lxc network info lxdbr0

Name: lxdbr0
MAC address: 3e:31:f9:8c:13:26
MTU: 1500
State: up

Ips:
  inet  10.0.200.1
  inet6 fe80::a4f1:adff:fe18:f67f

Network usage:
  Bytes received: 7.93kB
  Bytes sent: 45.28kB
  Packets received: 94
  Packets sent: 261

iptables -L -v -n -t nat

Chain PREROUTING (policy ACCEPT 311 packets, 34583 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    7  1549 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 135 packets, 20414 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4543 packets, 829K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 4501 packets, 821K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-42712dcc4910  172.18.0.0/24        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-3122fd0dcf95  172.19.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.2           172.18.0.2           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-42712dcc4910 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-3122fd0dcf95 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !br-42712dcc4910 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8088 to:172.18.0.2:80

iptables -L -v -n -t filter

Chain INPUT (policy ACCEPT 131K packets, 223M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 25 packets, 2552 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   25  2552 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   25  2552 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-42712dcc4910  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-42712dcc4910  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-42712dcc4910 !br-42712dcc4910  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-42712dcc4910 br-42712dcc4910  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-3122fd0dcf95 !br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-3122fd0dcf95 br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 96022 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-42712dcc4910 br-42712dcc4910  0.0.0.0/0            172.18.0.2           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-42712dcc4910 !br-42712dcc4910  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-3122fd0dcf95 !br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0           
   25  2552 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-42712dcc4910  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   25  2552 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

iptables-legacy -L -v -n -t nat

Chain PREROUTING (policy ACCEPT 319 packets, 35429 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8  1853 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 139 packets, 21087 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4623 packets, 854K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 4580 packets, 847K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-42712dcc4910  172.18.0.0/24        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-3122fd0dcf95  172.19.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.2           172.18.0.2           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-42712dcc4910 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-3122fd0dcf95 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !br-42712dcc4910 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8088 to:172.18.0.2:80

iptables-legacy -L -v -n -t filter

Chain INPUT (policy ACCEPT 131K packets, 223M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 25 packets, 2552 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   25  2552 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   25  2552 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-42712dcc4910  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-42712dcc4910  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-42712dcc4910 !br-42712dcc4910  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-42712dcc4910 br-42712dcc4910  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-3122fd0dcf95 !br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-3122fd0dcf95 br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 96652 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-42712dcc4910 br-42712dcc4910  0.0.0.0/0            172.18.0.2           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-42712dcc4910 !br-42712dcc4910  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-3122fd0dcf95 !br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0           
   25  2552 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-42712dcc4910  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-3122fd0dcf95  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   25  2552 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

cat /etc/netplan/01-network-manager-all.yaml

# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: NetworkManager

tomp · July 7, 2020, 7:52am

Your firewall shows you have docker installed on the host. Docker installs firewall rules that interfere with LXD (a search for docker on this forum will show various issues similar to yours).

nula · July 7, 2020, 12:35pm

Try with sudo iptables -I FORWARD -i br0 -o br0 -j ACCEPT , but please change bridge name to reflect your own…