Unexpected IP in auth.log from proxy device

I have a default lxd 5.0.0 setup with separate zfs partition en ubuntu 22.04 server and container, and I can ssh into the container.

Auth.log in the container contains messages like:

Aug 19 10:38:52 ub sshd[199]: Invalid user git from port 47864
Aug 19 10:38:52 ub sshd[199]: Received disconnect from port 47864:11: Bye Bye [preauth]
Aug 19 10:38:52 ub sshd[199]: Disconnected from invalid user git port 47864 [preauth]

Aug 19 11:18:09 ub sshd[252]: Invalid user webmaster from port 47874
Aug 19 11:18:10 ub sshd[252]: Received disconnect from port 47874:11: Bye Bye [preauth]
Aug 19 11:18:10 ub sshd[252]: Disconnected from invalid user webmaster port 47874 [preauth]

Aug 19 11:22:22 ub sshd[257]: Invalid user oracle from port 47878
Aug 19 11:22:22 ub sshd[257]: Received disconnect from port 47878:11: Bye Bye [preauth]
Aug 19 11:22:22 ub sshd[257]: Disconnected from invalid user oracle port 47878

I don’t understand the ip in those messages, it is always, the ip of the container.

Same thing with pinky in the container:

root@ub ~ pinky
Gbruikr  Volledige naam       TTY      Ledig  Ingelogd            Waar
root         root             *pts/1          2022-08-19 11:01

In both cases I expected the ip of the connecting user (like on the host), not the ip of the container.

Any ideas what is causing this?

Please show lxc config show <instance> --expanded?

root@nc02 ~ lxc config show ub --expanded
architecture: x86_64
  environment.LANG: nl_BE.UTF-8
  environment.LANGUAGE: nl_BE:UTF-8
  environment.LC_ALL: nl_BE.UTF-8
  image.architecture: amd64
  image.description: Ubuntu jammy amd64 (20220818_07:42)
  image.os: Ubuntu
  image.release: jammy
  image.serial: "20220818_07:42"
  image.type: squashfs
  image.variant: default
  volatile.base_image: f41c8c8377b27d101e498a03a6c2c34950048952a6679f9b582f471b9d2ee855
  volatile.cloud-init.instance-id: 516121ab-87cc-4326-aeab-faa985c260bb
  volatile.eth0.host_name: veth26794414
  volatile.eth0.hwaddr: 00:16:3e:6c:32:dc
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: RUNNING
  volatile.uuid: cd11a2bd-c4a6-4128-88b7-4df55786b610
    name: eth0
    network: lxdbr0
    type: nic
    path: /
    pool: default
    type: disk
    connect: tcp:
    listen: tcp:
    type: proxy
ephemeral: false
- default
stateful: false
description: ""

Right that makes sense then, you’re using a proxy device to proxy inbound SSH connections to your container.

A LXD proxy device (Instance configuration - LXD documentation) works by accepting the inbound connection, and then switching into the instance’s network namespace and opening a new connection to the connect address. Because it is a new connection originating from inside the instance, it’s source address is that of the instance itself.

If you can use static DHCP reservations for your instance using: lxc config device set <instance> eth0 ipv4.address=n.n.n.n then you would be able to switch the proxy device into nat=true mode.

This would also require that you define the listen address explicitly, and cannot use

But if those caveats are acceptable then using nat=true mode will retain the original client IP for the inbound connection.

I made the modifications, and got the expected ip.

Many thanks for the fast reply.

1 Like