I am at loss too and my mind is going to burned out.
With the above iptables rules host can indeed ping these containers.
But apt-get update in containers returns this error
Quote:
Err http://http.debian.net jessie InRelease
Err http://http.debian.net jessie Release.gpg
Cannot initiate the connection to http.debian.net:80 (2001:41c8:1000:21::21:4). - connect (101: Network is unreachable) [IP: 2001:41c8:1000:21::21:4 80]
Reading package lists... Done
Building dependency tree
Reading state information... Done
41 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: Failed to fetch http://http.debian.net/debian/dists/jessie/InRelease
W: Failed to fetch http://http.debian.net/debian/dists/jessie/Release.gpg Cannot initiate the connection to http.debian.net:80 (2001:41c8:1000:21::21:4). - connect (101: Network is unreachable) [IP: 2001:41c8:1000:21::21:4 80]
W: Some index files failed to download. They have been ignored, or old ones used instead.
|
and also vpn clients have this strange behavior with some web sites as I said. Also I noticed here that it tries to fetch the repositories with ipv6 protocol and not ipv4. I don't know if this mean something for our case.
Quote:
is maybe you should really add what interface the requests are coming in over in the PREROUTE rules.
|
You mean to add -i eth0 in the rules ?
P.S I added -i eth0 in both of the rules and seems that is working until now. I ll keep you posted and write about the results.