There's no internet inside the lxc container!

seisdr · August 1, 2024, 5:57pm

lxc-create  --version
5.0.0

i installed a ubuntu jammy rootfs via

lxc-create -t download -n ubuntu -- -d ubuntu -r jammy -a amd64

Config

~$ sudo cat /var/lib/lxc/ubuntu/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64

# Container specific configuration
lxc.rootfs.path = dir:/var/lib/lxc/ubuntu/rootfs
lxc.uts.name = ubuntu

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx

Iptables ?

:~$ sudo iptables -t nat -L -n -v |grep 10.0
    0     0 MASQUERADE  all  --  *      eth0    10.0.3.0/24          0.0.0.0/0          
    0     0 MASQUERADE  all  --  *      eth0    10.0.3.0/24          0.0.0.0/0          
    0     0 MASQUERADE  all  --  *      eth0    10.0.3.0/24          0.0.0.0/0

after starting the container if i run ping i get nothing and apt update fails

Ubuntu 22.04.4 LTS ubuntu console

ubuntu login: root
Password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-113-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
Last login: Thu Aug  1 17:52:19 UTC 2024 on console
root@ubuntu:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.




^C
--- 1.1.1.1 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5124ms

root@ubuntu:~# apt update
0% [Connecting to archive.ubuntu.com (2620:2d:4000:1::102)] [Connecting to security.ubu
0% [Connecting to archive.ubuntu.com (2620:2d:4000:1::102)] [Connecting to security.ubu^C

running tcpdump i see the packets are coming in lxcbr0 bridge

:~$ sudo tcpdump -i lxcbr0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lxcbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:53:37.342195 IP6 user > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
17:53:37.342207 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
17:53:37.414165 IP6 user > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
17:53:37.534855 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:e8:53:fe (oui Unknown), length 278
17:53:37.534976 ARP, Request who-has 10.0.3.30 tell user, length 28
17:53:37.550169 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
17:53:37.878184 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
17:53:38.006184 IP6 :: > ff02::1:ffe8:53fe: ICMP6, neighbor solicitation, who has fe80::216:3eff:fee8:53fe, length 32
17:53:38.550173 ARP, Request who-has 10.0.3.30 tell user, length 28
17:53:39.030190 IP6 fe80::216:3eff:fee8:53fe > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
17:53:39.574172 ARP, Request who-has 10.0.3.30 tell user, length 28
17:53:39.830178 IP6 fe80::216:3eff:fee8:53fe > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
17:53:40.173584 IP6 fe80::216:3eff:fee8:53fe > ip6-allrouters: ICMP6, router solicitation, length 16
17:53:40.538332 IP user > 10.0.3.30: ICMP echo request, id 23728, seq 0, length 28
17:53:40.538363 IP user.bootps > 10.0.3.30.bootpc: BOOTP/DHCP, Reply, length 300
17:53:40.538419 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:e8:53:fe (oui Unknown), length 290
17:53:40.556083 IP user.bootps > 10.0.3.30.bootpc: BOOTP/DHCP, Reply, length 300
17:53:42.930049 ARP, Request who-has user tell 10.0.3.30, length 28
17:53:42.930057 ARP, Reply user is-at 00:16:3e:00:00:00 (oui Unknown), length 28
17:53:42.930062 IP 10.0.3.30 > one.one.one.one: ICMP echo request, id 74, seq 1, length 64
17:53:43.958195 IP 10.0.3.30 > one.one.one.one: ICMP echo request, id 74, seq 2, length 64
17:53:44.478632 IP6 fe80::216:3eff:fee8:53fe > ip6-allrouters: ICMP6, router solicitation, length 16
17:53:44.982194 IP 10.0.3.30 > one.one.one.one: ICMP echo request, id 74, seq 3, length 64                                                              17:53:45.590175 ARP, Request who-has 10.0.3.30 tell user, length 28
17:53:45.590196 ARP, Reply 10.0.3.30 is-at 00:16:3e:e8:53:fe (oui Unknown), length 28
17:53:46.006194 IP 10.0.3.30 > one.one.one.one: ICMP echo request, id 74, seq 4, length 64                                                              17:53:47.030193 IP 10.0.3.30 > one.one.one.one: ICMP echo request, id 74, seq 5, length 64
17:53:48.054193 IP 10.0.3.30 > one.one.one.one: ICMP echo request, id 74, seq 6, length 64
17:53:50.965393 IP 10.0.3.30.51684 > user.domain: 3552+ [1au] SRV? _http._tcp.archive.ubuntu.com. (58)
17:53:50.965453 IP user.domain > 10.0.3.30.51684: 3552 0/1/1 (145)
17:53:50.965460 IP 10.0.3.30.51533 > user.domain: 21995+ [1au] SRV? _http._tcp.security.ubuntu.com. (59)

ifconfig inside the container

root@ubuntu:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.3.100  netmask 255.255.255.0  broadcast 10.0.3.255
        inet6 fe80::216:3eff:fec8:a561  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:c8:a5:61  txqueuelen 1000  (Ethernet)
        RX packets 17  bytes 1790 (1.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13  bytes 1538 (1.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

This is a horrible ticket sorry

simos · August 1, 2024, 7:02pm

You used markdown, so I can’t complain.

I can see in the network packet dump that the container sends the packets but nothing ever comes back. It’s some firewall issue.

Can you run sudo iptables --list-rules on the host as well?

Also, you can run tshark on the host and check at what point those ICMP packets get dropped.

seisdr · August 1, 2024, 7:14pm

:~$ sudo iptables --list-rules
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i lxcbr0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o lxcbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lxcbr0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o lxcbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A OUTPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --tcp-flags RST RST -j DROP
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

I’m running this on a server so i hide the ip

seisdr · August 1, 2024, 7:16pm

tshark -i enp2s0 -f “icmp” ? Shows nothing

seisdr · August 1, 2024, 7:20pm

I also i think didn’t notice any of the network dumps going through the main network interface

simos · August 1, 2024, 7:40pm

seisdr:

-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT

You have installed Docker. Docker does special things with firewall rules that mess up with the networking of LXC and Incus.
See more at How to configure your firewall - Incus documentation

seisdr · August 1, 2024, 7:56pm

i don’t use incus and don’t have ufw installed

simos · August 1, 2024, 8:33pm

When you install Docker, Docker sets up a set of firewall rules that mess up with the networking of either LXC or Incus. I could not find a document on how to fix Docker firewall/iptables issues with LXC, and I provided the document between Docker and Incus. The effect of those Docker iptables rules on containers, either LXC or Incus, is the same.

A firewall is implemented on Linux using those iptables rules. We kind of use firewall and iptables interchangeably.