Port forwarding loopback

In a normal LXD setup, I try to forward a port to a container, using lxc network forward, like this:

lxc network forward create lxdbr0 $HOST_IP
lxc network forward port add lxdbr0 $HOST_IP tcp 3478 $CONTAINER_IP
lxc network forward port add lxdbr0 $HOST_IP udp 3478 $CONTAINER_IP
lxc network forward list lxdbr0
lxc network forward show lxdbr0 $HOST_IP

To make sure that the port forward is working, I use netcat:

  1. Inside the container: nc -u -l 3478
  2. Outside the container nc -u $HOST_IP 3478

When I run the second command from the host (LXD server) or some other host, it works. However when I run it from another container (in the same LXD host) it does not work.

What is going on here? And how can I fix this?

Please can you run lxc warning list and look for an entry like this:

lxc warning list
|                 UUID                 |                         TYPE                         | STATUS | SEVERITY | COUNT | PROJECT |          LAST SEEN           |
| 9c94b4dc-deda-40bd-bd13-f6856ffba630 | Proxy bridge netfilter not enabled                   | NEW    | LOW      | 2     | default | Jan 25, 2023 at 8:14am (UTC) |

Then lxc warning show <uuid>, e.g:

lxc warning show 9c94b4dc-deda-40bd-bd13-f6856ffba630
status: new
uuid: 9c94b4dc-deda-40bd-bd13-f6856ffba630
location: none
project: default
type: Proxy bridge netfilter not enabled
count: 2
first_seen_at: 2023-01-25T08:13:47.695764445Z
last_seen_at: 2023-01-25T08:14:48.804692528Z
last_message: 'IPv4 bridge netfilter not enabled. Instances using the bridge will
  not be able to connect to the forward listen IPs: br_netfilter kernel module not
severity: low
entity_url: ""

And then consider the implications of enabling br_netfilter (that intra-bridge traffic will now be filtered by the host’s firewall, and that this may cause some packets to be dropped that were allowed before), and if OK, follow the suggestion:

sudo modprobe br_netfilter

You will also need to make this persistent on reboot.

Then loop-back DNAT should work as expected.

1 Like

I don’t have such a warning.

I was trying to install a TURN server on a container, so that it can be used by BBB on another container. However the latest installation script of BBB (bbb-install-2.6-turn.sh – still in beta) installs coturn inside the BBB machine, so that there is no need for an external TURN server.

However it may still be useful to know how to fix this problem, in case it shows up in other situations.

modprobe br_netfilter

What are the implications of this? That lxc network forward cannot be used anymore to forward ports to containers?

What is the reason that loop-back DNAT does not normally work, in the first place?

The implications are what I mentioned above:

that intra-bridge traffic will now be filtered by the host’s firewall, and that this may cause some packets to be dropped that were allowed before

So if you had, for example, a rule in your host’s firewall in the FORWARD chain that said “drop all packets”, before enabling br_netfilter traffic between instances using the bridge would have been allowed.

But as soon as you enable br_netfilter, the intra-bridge traffic starts going through your host’s firewall.
This is good, as it enables the loopback network forward DNAT to work.
But it can also potentially cause issues, as in our contrived example above, now all intra-bridge traffic would be blocked.

With lsmod I can confirm that the module br_netfilter is already loaded by default.
And when I test again (loopback DNAT) it now works.
I did not do anything at all to fix it.
I don’t know how to explain why it didn’t work before.

1 Like