LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-12-2017, 11:47 AM   #16
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,194
Blog Entries: 3

Rep: Reputation: 187Reputation: 187

Have you changed your rules since the first post? That one should work.
I'm thinking it is in your routing tables. What does the following spit out:
Code:
route -n
You should see all your interfaces there
 
1 members found this post helpful.
Old 05-15-2017, 08:04 AM   #17
netpumber
Member
 
Registered: Sep 2007
Location: In My Box
Distribution: Arch Linux
Posts: 422

Original Poster
Rep: Reputation: 33
These are my rules till now (with the conflict that we discuss):

Code:
# Generated by iptables-save v1.4.21 on Mon May 15 12:01:38 2017
*nat
:PREROUTING ACCEPT [51675:3089328]
:INPUT ACCEPT [50024:2963629]
:OUTPUT ACCEPT [856:60110]
:POSTROUTING ACCEPT [814:44198]
-A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon May 15 12:01:38 2017
# Generated by iptables-save v1.4.21 on Mon May 15 12:01:38 2017
*filter
:INPUT ACCEPT [1056550:132585458]
:FORWARD ACCEPT [3342320:3193085280]
:OUTPUT ACCEPT [1193243:198614136]
COMMIT
# Completed on Mon May 15 12:01:38 2017
and here is the route -n in the host. I have already posted it in an earlier post (You asked it. Don't remember?)

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.44.198     0.0.0.0         UG    0      0        0 eth0
10.8.44.198     0.0.0.0         255.255.255.254 U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
 
Old 05-17-2017, 05:19 PM   #18
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,194
Blog Entries: 3

Rep: Reputation: 187Reputation: 187
I'm at a loss. If you can ping your containers then it should work.

Only thing I can think of at this point is maybe you should really add what interface the requests are coming in over in the PREROUTE rules.
 
1 members found this post helpful.
Old 05-18-2017, 03:59 AM   #19
netpumber
Member
 
Registered: Sep 2007
Location: In My Box
Distribution: Arch Linux
Posts: 422

Original Poster
Rep: Reputation: 33
I am at loss too and my mind is going to burned out.

With the above iptables rules host can indeed ping these containers.

But apt-get update in containers returns this error
Quote:
Err http://http.debian.net jessie InRelease

Err http://http.debian.net jessie Release.gpg
Cannot initiate the connection to http.debian.net:80 (2001:41c8:1000:21::21:4). - connect (101: Network is unreachable) [IP: 2001:41c8:1000:21::21:4 80]
Reading package lists... Done
Building dependency tree
Reading state information... Done
41 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: Failed to fetch http://http.debian.net/debian/dists/jessie/InRelease

W: Failed to fetch http://http.debian.net/debian/dists/jessie/Release.gpg Cannot initiate the connection to http.debian.net:80 (2001:41c8:1000:21::21:4). - connect (101: Network is unreachable) [IP: 2001:41c8:1000:21::21:4 80]

W: Some index files failed to download. They have been ignored, or old ones used instead.
and also vpn clients have this strange behavior with some web sites as I said. Also I noticed here that it tries to fetch the repositories with ipv6 protocol and not ipv4. I don't know if this mean something for our case.

Quote:
is maybe you should really add what interface the requests are coming in over in the PREROUTE rules.
You mean to add -i eth0 in the rules ?

P.S I added -i eth0 in both of the rules and seems that is working until now. I ll keep you posted and write about the results.

Last edited by netpumber; 05-18-2017 at 04:33 AM.
 
Old 05-18-2017, 06:52 AM   #20
netpumber
Member
 
Registered: Sep 2007
Location: In My Box
Distribution: Arch Linux
Posts: 422

Original Poster
Rep: Reputation: 33
Oh! I can't believe it. It is working finally (It seems so). That detail made the difference. It's incredible ! I ow you a beer or what ever you want.

Thanks a lot for your insistence on this problem :-)
 
Old 05-18-2017, 07:48 AM   #21
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,194
Blog Entries: 3

Rep: Reputation: 187Reputation: 187
GREAT NEWS!!!

This is the issue with any firewall you rules were being applied to every packet no matter which way they were traveling. By adding the "-i eth0" you told the rule to only be applied to traffic coming in over eth0.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: LXC 1.0 Announced For Better Linux Containers LXer Syndicated Linux News 0 02-25-2014 09:11 PM
[SOLVED] LXC Containers Ping Problem sunveer Linux - Newbie 2 10-16-2013 05:04 AM
[SOLVED] Bridging with lxc-containers problem. scam Slackware 4 09-14-2011 05:52 AM
Problem setting up LXC containers wolf0403 Linux - Server 0 05-23-2011 06:11 AM
vzdump equivalent for lxc containers bigaddo81 Linux - Virtualization and Cloud 0 06-06-2010 09:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration