Problems accessing http(s) from container with ports 80 and 443 forwarded

I’ve installed LXD on a Centos 7.6 VPS using the default options and following the steps on @stgraber’s guide LXD on Centos 7.

Then created a Centos 7.6 container and installed NGINX and RSync server.

Attached the IP assigned by the birdge as a fixed IP to the container assuming it is using the default bridge lxdbr0:

$ lxc stop
$ lxc network attach lxdbr0 eth0 eth0
$ lxc config device set eth0 ipv4.address [IP address]
$ lxc start

Activated masquerade:

$ sudo firewall-cmd --add-masquerade

Forwarded port 80 on the host to the LXD container port 80

$ sudo firewall-cmd --add-forward-port=port=80:proto=tcp:toport=80:toaddr=[IP address]

Forwarded port 443 on the host to the LXD container port 443

$ sudo firewall-cmd --add-forward-port=port=443:proto=tcp:toport=443:toaddr=[IP address]

Forwarded port 873 on the host to the LXD container port 873

$ sudo firewall-cmd --add-forward-port=port=873:proto=tcp:toport=873:toaddr=

I can successfully access NGINX both from the host and remotely but I can’t access http or https from the container after forwarding the ports.

For instance, if I run curl http://google.com I get the homepage of NGINX installed on the container.

And if I remove MASQUERADE:

$ sudo firewall-cmd --remove-masquerade

Trying to run curl http://google.com times out despite being able to ping Google from the container.

I could use a different port for NGINX on the container but I’m afraid I can’t run the RSync server on a different port.

I’m trying to avoid using the proxy directly on LXD for performance reasons as this server may have a bit of traffic.

Am I doing anything wrong? Any suggestions?

I am not familiar with FirewallD.
I assume that, internally, FirewallD creates iptables rules. If you were to investigate this issue further, you would look into the set of iptables rules that have been created.

In addition, you mention that any access to google.com would bring the homepage of your nginx.
This is weird, as if you have created a captive portal by accident.
I would consider the google.com issue as a primarily FirewallD issue and not a LXD issue.

It seems the container gets stuck into a redirection loop.

I don’t know how NAT works on the LXD bridge, but maybe there is some sort of conflict between firewalld and LXD NATs. (double NATting?)

I’m wondering if people running LXD on CentOS are finding similar problems or whether I’m missing a step somewhere on my setup.

Can anyone reproduce this problem?