No internet access inside container but container is able to ping to host

SYN · January 19, 2022, 5:03pm

I’m using a bridge network by referring to this link: LXC/SimpleBridge - Debian Wiki (Host Device as bridge section)
I’m able to ping the host VM from the container but I have no internet access inside the container.
How to enable internet access inside container?

On Host VM:

~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

~$ uname -a
Linux topas-dev 4.15.0-166-generic #174-Ubuntu SMP Wed Dec 8 19:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

~$ ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 08:00:27:04:85:57 brd ff:ff:ff:ff:ff:ff
3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UNKNOWN group default qlen 1000
link/ether 08:00:27:51:d4:16 brd ff:ff:ff:ff:ff:ff
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:a3:bc:b7:94 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 08:00:27:51:d4:16 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe51:d416/64 scope link
valid_lft forever preferred_lft forever
10: veth8SI4QR@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
link/ether fe:f0:f6:f1:2f:9f brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::fcf0:f6ff:fef1:2f9f/64 scope link
valid_lft forever preferred_lft forever

~$ brctl show

bridge name bridge id STP enabled interfaces
br0 8000.08002751d416 no enp0s3 veth8SI4QR

docker0 8000.0242a3bcb794 no

~$ cat /var/lib/lxc/config
lxc.idmap= u 0 231072 1004
lxc.idmap = g 0 231072 1005
lxc.idmap = u 1004 1004 1
lxc.idmap = g 1005 1005 1
lxc.idmap = u 1006 232077 64531
lxc.idmap = g 1007 232078 64530
lxc.console.path = none
lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.net.0.ipv4.gateway = 10.0.2.2
lxc.net.0.ipv4.address = 10.0.2.10/24

~$ cat /etc/default/lxc-net
USE_LXC_BRIDGE=“false”

LXC_BRIDGE=“br0”
LXC_ADDR=“10.0.2.15”
LXC_NETMASK=“255.255.255.0”
LXC_NETWORK=“10.0.2.0/24”
LXC_DHCP_RANGE=“10.0.2.16,10.0.2.254”
LXC_DHCP_MAX=“239”

~$ lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching…
Kernel configuration found at /boot/config-4.15.0-166-generic
— Namespaces —
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

— Control groups —
Cgroups: enabled

Cgroup v1 mount points:
/sys/fs/cgroup/systemd
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/rdma
/sys/fs/cgroup/pids
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/devices
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/freezer
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/blkio
/sys/fs/cgroup/memory

Cgroup v2 mount points:
/sys/fs/cgroup/unified

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

— Misc —
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded

— Checkpoint/Restore —
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities:

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/local/bin/lxc-checkconfig

On Container:

root@topas-dev:/var/lib/lxc# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

root@topas-dev:/var/lib/lxc# uname -a
Linux topas-dev 4.15.0-166-generic #174-Ubuntu SMP Wed Dec 8 19:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
root@topas-dev:/var/lib/lxc# ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
9: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:16:3e:54:ff:9f brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.2.10/24 brd 10.0.2.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe54:ff9f/64 scope link
valid_lft forever preferred_lft forever

root@topas-dev:/var/lib/lxc# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
— 8.8.8.8 ping statistics —
3 packets transmitted, 0 received, 100% packet loss, time 2049ms

root@topas-dev:/var/lib/lxc# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

root@topas-dev:/var/lib/lxc# uname -a
Linux topas-dev 4.15.0-166-generic #174-Ubuntu SMP Wed Dec 8 19:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

root@topas-dev:/var/lib/lxc# ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
9: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:16:3e:54:ff:9f brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.2.10/24 brd 10.0.2.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe54:ff9f/64 scope link
valid_lft forever preferred_lft forever

root@topas-dev:/var/lib/lxc# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
— 8.8.8.8 ping statistics —
8 packets transmitted, 0 received, 100% packet loss, time 7165ms

root@topas-dev:/var/lib/lxc# ping 10.0.2.15
PING 10.0.2.15 (10.0.2.15) 56(84) bytes of data.
64 bytes from 10.0.2.15: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 10.0.2.15: icmp_seq=2 ttl=64 time=0.032 ms
64 bytes from 10.0.2.15: icmp_seq=3 ttl=64 time=0.030 ms
64 bytes from 10.0.2.15: icmp_seq=4 ttl=64 time=0.030 ms
^C
— 10.0.2.15 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3054ms
rtt min/avg/max/mdev = 0.030/0.030/0.032/0.005 ms

SYN · January 21, 2022, 10:07am

Hi @stgraber @brauner
Any ideas?

stgraber · January 21, 2022, 3:16pm

I see you have a docker bridge too. Docker has a very annoying tendency to take over firewalling on your whole system and block everything but itself…

Look at iptables -L -n -v for any rule that could explain this behavior.

SYN · January 23, 2022, 12:39pm

Thank you for the reply @stgraber . This is the output of the above command. Any ideas?

Chain INPUT (policy ACCEPT 4198 packets, 1146K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 9 packets, 756 bytes)
 pkts bytes target     prot opt in     out     source               destination         
9   756 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
9   756 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 3750 packets, 409K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target     prot opt in     out     source               destination         
0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
9   756 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
9   756 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

SYN · January 25, 2022, 11:19am

Any ideas @stgraber ? Is this an issue regarding firewall?

stgraber · January 25, 2022, 4:43pm

Yep, it is. Docker made your default FORWARD policy to be DROP which will eat all traffic that’s not meant for Docker itself…

iptables -P FORWARD ACCEPT should temporarily fix that

SYN · January 25, 2022, 8:51pm

Thank you so much @stgraber That seems to fix the problem. I now have internet access inside the container.