1

My plan is to provide a nextcloud container and a ONLYOFFICE container.

  • I have a ubuntu LTS server system running.
  • There are several LXD container running.
  • I can access all container with browser via their difined ports; configured by nftables
  • Container have access to internet, provided by host connection

But...

  • suddenly the container can't curl each other the host IP. -> Nextcloud can't access ONLYOFFICE so this is not working.
  • Even the Host can't curl to the defined ports. :-(

I think my problem is in my nftables config:

table ip my_nat {
  chain my_prerouting {
    type nat hook prerouting priority -100;
    tcp dport{ http, https } dnat 192.168.22.3
    tcp dport{ 8888} dnat 192.168.22.6:80
    tcp dport{ 8889} dnat 192.168.22.6:443
  }

  chain my_postrouting {
        type nat hook postrouting priority 0; policy accept;
        oifname "eno1" masquerade
 }
}

eno1 is the host port lxdbr0 is the bridge port to all container - 192.168.22.0/24

fruitystones
  • 11
  • 2
  • I don't think that nftables is supported with LXD. See https://github.com/lxc/lxd/issues/4029. – Gerrit Mar 04 '20 at 12:41
  • After reading through, it seems supported and fixed: https://github.com/lxc/lxd/issues/6223 I think the problem maybe a missing entry for postrouting?!? – fruitystones Mar 04 '20 at 12:59
  • As I read it, it is intended to be part of release 3.22. But that is not released yet. https://github.com/lxc/lxd/milestone/91?closed=1 – Gerrit Mar 04 '20 at 14:30
  • It seems not related to LXD even a curl to localhost(on the mainhost) doesn't work: '''Failed to connect to localhost port 80: Connection refused''' – fruitystones Mar 05 '20 at 13:32
  • 1
    To expose a port for locally executed programs you have to hook into *output*. *prerouting* will not work for that. But that is tricky. See my net namespace answer here: https://serverfault.com/a/1002882/188737 – Gerrit Mar 05 '20 at 13:34

0 Answers0