Problems accessing http(s) from container with ports 80 and 443 forwarded

beagle · September 9, 2019, 7:56pm

I’ve installed LXD on a Centos 7.6 VPS using the default options and following the steps on @stgraber’s guide LXD on Centos 7.

Then created a Centos 7.6 container and installed NGINX and RSync server.

Attached the IP assigned by the birdge as a fixed IP to the container assuming it is using the default bridge lxdbr0:
$ lxc stop $ lxc network attach lxdbr0 eth0 eth0 $ lxc config device set eth0 ipv4.address [IP address] $ lxc start

Activated masquerade:
$ sudo firewall-cmd --add-masquerade
Forwarded port 80 on the host to the LXD container port 80
$ sudo firewall-cmd --add-forward-port=port=80:proto=tcp:toport=80:toaddr=[IP address]
Forwarded port 443 on the host to the LXD container port 443
$ sudo firewall-cmd --add-forward-port=port=443:proto=tcp:toport=443:toaddr=[IP address]
Forwarded port 873 on the host to the LXD container port 873
$ sudo firewall-cmd --add-forward-port=port=873:proto=tcp:toport=873:toaddr=

I can successfully access NGINX both from the host and remotely but I can’t access http or https from the container after forwarding the ports.

For instance, if I run curl http://google.com I get the homepage of NGINX installed on the container.

And if I remove MASQUERADE:
$ sudo firewall-cmd --remove-masquerade
Trying to run curl http://google.com times out despite being able to ping Google from the container.

I could use a different port for NGINX on the container but I’m afraid I can’t run the RSync server on a different port.

I’m trying to avoid using the proxy directly on LXD for performance reasons as this server may have a bit of traffic.

Am I doing anything wrong? Any suggestions?

simos · September 12, 2019, 5:14pm

I am not familiar with FirewallD.
I assume that, internally, FirewallD creates iptables rules. If you were to investigate this issue further, you would look into the set of iptables rules that have been created.

In addition, you mention that any access to google.com would bring the homepage of your nginx.
This is weird, as if you have created a captive portal by accident.
I would consider the google.com issue as a primarily FirewallD issue and not a LXD issue.

beagle · September 12, 2019, 9:39pm

It seems the container gets stuck into a redirection loop.

I don’t know how NAT works on the LXD bridge, but maybe there is some sort of conflict between firewalld and LXD NATs. (double NATting?)

I’m wondering if people running LXD on CentOS are finding similar problems or whether I’m missing a step somewhere on my setup.

Can anyone reproduce this problem?

geroge2 · March 10, 2020, 12:16am

I have an identical issue on Ubuntu 18 running lxd containers. And oddly enough the apparrent redirection persists even after running “ufw disable” to disable the firewall,
Here is the tcpdump. If I, from the container try to telnet to bbc port 443
IP 10.223.8.144.47004 > 10.223.8.144.https: Flags [S],
This is the ip address of the container

If I change the target port to 444 I get the expected result
IP 10.223.8.144.37332 > 151.101.128.81.snpp: Flags [S],
which is sending to the bbc ip address

Maybe my incoming redirect rules are not configured properly, something I should look at.

George

geroge2 · March 10, 2020, 12:20am

This might be the problem, My redirect rules do not specify the incoming interface such as eth0, maybe the problem will be solved if I update the rule to specify the interface
-A PREROUTING -p tcp --dport 80 -j DNAT --to 10.223.8.144:80
-A PREROUTING -p tcp --dport 443 -j DNAT --to 10.223.8.144:443

George

geroge2 · March 10, 2020, 12:25am

Yes, problem solved !!
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.223.8.144:80
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.223.8.144

George