I have a VPS with one public IP, 64.x.x.x which is assigned to enp1s0.
My goal is to have LXC container/s running on this VPS which have connectivity with the host and with WAN. That means traffic is routed from Container > lxcbr0 > enp1s0 > WAN
I followed the standard procedure in LXC, which creates a bridge lxcbr0 and a veth device connected to the bridge. From the container I can ping the host and also the public IP of the host. But I can't reach WAN! As far as I know I did everything right in the configuration, but obviously I didn't.
Host:
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 64.x.x.x/32 brd 64.x.x.250 scope global dynamic enp1s0
valid_lft 84329sec preferred_lft 84329sec
inet6 fe80::9400:1ff:fe0e:33dc/64 scope link
valid_lft forever preferred_lft forever
3: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 10.0.3.1/24 brd 10.0.3.255 scope global lxcbr0
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
4: vethf6wBpH@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxcbr0 state UP group default qlen 1000
link/ether fe:1f:bc:2d:41:3c brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::fc1f:bcff:fe2d:413c/64 scope link
valid_lft forever preferred_lft forever
# iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 124 MASQUERADE all -- any any 10.0.3.0/24 !10.0.3.0/24
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 17.x.x.1 0.0.0.0 UG 0 0 0 enp1s0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0
17.x.x.1 0.0.0.0 255.255.255.255 UH 0 0 0 enp1s0
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Container:
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 4e:53:3c:48:56:ad brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.3.25/24 brd 10.0.3.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::4c53:3cff:fe48:56ad/64 scope link
valid_lft forever preferred_lft forever
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.3.1 0.0.0.0 UG 0 0 0 eth0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
I looked at tcpdump -i lxcbr0 icmp on the host. Ping request comes through, but I don't see any reply. tcpdump -i enp1s0 icmp doesn't show any activity while I ping WAN from the container.
Appreciate all thoughts on this!
