Problem getting networking to work in containers with fedora host

Hello,
I have installed incus on my fedora 42 machine. I ran incus admin init and kept everything at the default option except ipv6 which I disabled.

I launched a container with incus launch images:debian/12/default debian-test and then went into it with incus shell debian-test. Inside the container I tried to run apt update but it seems like the networking doesn’t work. ping 1.1.1.1 seems to just get stuck too with no error.

This is the output of ip a inside the container:

root@debian-test3:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
20: eth0@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 10:66:6a:44:54:0e brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.153.209.132/24 metric 1024 brd 10.153.209.255 scope global dynamic eth0
       valid_lft 3136sec preferred_lft 3136sec
    inet6 fe80::1266:6aff:fe44:540e/64 scope link 
       valid_lft forever preferred_lft forever

This is the config of incusbr0:

config:
  ipv4.address: 10.153.209.1/24
  ipv6.address: none
  ipv6.dhcp: "false"
  ipv6.nat: "false"
  ipv6.routing: "false"
description: ""
name: incusbr0
type: bridge
used_by:
- /1.0/instances/debian-test
- /1.0/instances/debian-test2
- /1.0/profiles/default
managed: true
status: Created
locations:
- none
project: default

I have tried to disable IPv6 since my LAN doesn’t support it. I also don’t have a public IPv6 address but I don’t think that matters.
When looking for a solution I found that you first need to configure the fedora firewall to allow incus so I ran:

sudo firewall-cmd --zone=trusted --change-interface=incusbr0 --permanent
sudo firewall-cmd --reload

from this forum post.
Docker isn’t installed on the host any more, it was installed previously but the DOCKER-USER chain doesn’t seem to exist any more.
This is the output of ip a show incusbr0 on the host:

4: incusbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 10:66:6a:40:a5:ae brd ff:ff:ff:ff:ff:ff
    inet 10.153.209.1/24 scope global incusbr0
       valid_lft forever preferred_lft forever

Thanks!

I solved the issue by enabling masquerading on the host with:

sudo firewall-cmd --add-masquerade --permanent
sudo firewall-cmd --reload
1 Like