Potential proxy issue with 6.14

Incus
1

So using the once bitten principle, rather than upgrade my main server to 6.14 I set up a new server from scratch and did a new install. Once happy I copied my first container over, this container runs NPM and handles all the proxy work.

I’m listening on # 443 on two interfaces, binding to host IP’s with NAT turned on so I can get client addresses.

  • br_netfilter is loaded
  • no errors in the log file
  • no errors updating the config / profile
  https:
    bind: host
    connect: tcp:10.106.102.2:443
    listen: tcp:91.99.160.69:443
    nat: 'true'
    type: proxy
  https-vpn:
    bind: host
    connect: tcp:10.106.102.2:443
    listen: tcp:192.168.5.1:443
    nat: 'true'
    type: proxy

This produces no listeners on the host. If I set ‘nat’ to false, works fine and I get two ports listening on # 443. Same container, same config on 6.13, works fine.

I know there are issues re; br_netfilter being loaded, only connecting to an overridden IP address etc, but afaik these should all be satisfied. (and the original copy works on the old server)

Anyone any ideas what I’m missing, or is this a 6.14 problem?

2

Nothing changed in the proxy code in several releases.

When you use NAT, Incus configures iptables or nftables to forward the port so there is no process listening on that port on the host.

3

That would explain it, many thanks :slight_smile: … I’m now wondering why I didn’t spot this on this on the original server…

It does now leave me a little concerned, this means that I effectively have listening ports on my server that don’t show up in netstat. Is there an easy way to list “effective” listening ports, i.e. open ports and forwarded ports, of is it a case of needing to read and understand nftables entries?

4

There are two types of proxy devices. The common ones require a process called forkproxy that opens one port on the host, and one in the container.

There’s the ss command with some parameters that you have to look for. Here’s a starting point.

sudo ss -stnlp | grep :80

When you use nat=true, then this type of proxy device does not bind to ports but uses firewall rules. You need to read the rules.