[SOLVED] Forward traffic from LXC to external port

gattu_marrudu · 2026-02-26 19:17:25

Hello,
I have LXC running on a local server and UFW managing the firewall.

I cannot reach a remote mail server on ports 25 or 587 from any of the containers. I can reach the same ports from the LXC host, and also port 80 on the same remote server from the container, just not the mail ports.

I have the following UFW configuration:

Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
993/tcp                    ALLOW IN    Anywhere                  
587/tcp                    ALLOW IN    Anywhere                  
Anywhere on lxcbr0         ALLOW IN    Anywhere                  
22/tcp                     LIMIT IN    Anywhere                  
25/tcp                     ALLOW IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
21/tcp                     ALLOW IN    Anywhere                  
20021/tcp                  ALLOW IN    Anywhere                  
465/tcp                    ALLOW IN    Anywhere                  
29090/tcp                  ALLOW IN    Anywhere                  

1.2.3.4 25/tcp      ALLOW OUT   Anywhere                  # mail server
1.2.3.4 587/tcp     ALLOW OUT   Anywhere                 # mail server

Anywhere                   ALLOW FWD   Anywhere on lxcbr0        
Anywhere on lxcbr0         ALLOW FWD   Anywhere

I added the 1.2.3.4 rules later while testing, but they don't resolve the problem.

I also tried to add

-A FORWARD -d 1.2.3.4 -p tcp --dport 25 -j ACCEPT
-A FORWARD -d 1.2.3.4 -p tcp --dport 587 -j ACCEPT

to the filter chain in /etc/ufw/before.rules, to no avail.

Which rules am I missing?

Thanks,
gm

Last edited by gattu_marrudu (2026-02-27 21:41:21)

gattu_marrudu · 2026-02-26 19:43:41

Update: even after disabling ufw the containers still can't reach the remote server. I also tried enabling MANAGE_BUILTINS in /etc/default/ufw.

I wonder if something else than the firewall may be the cause.

-thc · 2026-02-27 07:29:49

Please stop throwing configuration changes at your system without knowing the cause of your problem.

I have LXC running on a local server

That is - regarding the network setup - not self-explanatory. How exactly did you realize the network setup for LXC (NAT/bridge)?

Can you successfully ping the remote servers from within your containers?

gattu_marrudu · 2026-02-27 14:43:39

I can ping the remote server, and I can connect to other ports from within the containers. In fact, since I control the target server, I opened SMTPS on an alternative port and I can connect to that port.

I have a NAT bridge set up. This is the relevant part of my /etc/lxc/default.conf:

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 10:66:6a:xx:xx:xx

And /etc/default/lxc-net:

USE_LXC_BRIDGE="true"
LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf
LXC_DOMAIN="lxc"

It looks like 25, 993, 465, and 587 are all blocked. I am thinking about an ISP block, but then I can't explain why I can connect to those ports from the host, which should appear as coming from the same IP address.

-thc · 2026-02-27 18:22:32

Is it possible that those ports are in use on the host (or another container with port forwarding) and the routing decision (FORWARD/INPUT) is wrong?

gattu_marrudu · 2026-02-27 19:04:02

Good catch! I do have an internal mail server on the host. It is currently down but I still have the firewall rules for reaching that server from outside:

# /etc/ufw/before.rules

-A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 10.0.3.10:25
-A PREROUTING -p tcp --dport 587 -j DNAT --to-destination 10.0.3.10:587
-A PREROUTING -p tcp --dport 465 -j DNAT --to-destination 10.0.3.10:465
-A PREROUTING -p tcp --dport 993 -j DNAT --to-destination 10.0.3.10:993

-A POSTROUTING -s 10.0.3.10 -o enp6s0 -j MASQUERADE

After disabling the pre-routing lines I am able to reach the remote server on those ports.

Now, since I may resume using the internal mail server, how can I keep the routing rules for that server for both outside connections and local containers, while allowing some local containers to connect to an external server on the same ports?

Thanks!

Last edited by gattu_marrudu (2026-02-27 19:05:47)

gattu_marrudu · 2026-02-27 21:40:57

Looks like adding -i enp6s0 (host's network interface) to the prerouting rules fixed the outbound block, although I haven't tested the local mail server with the new settings yet.

Arch Linux

#1 2026-02-26 19:17:25

[SOLVED] Forward traffic from LXC to external port

#2 2026-02-26 19:43:41

Re: [SOLVED] Forward traffic from LXC to external port

#3 2026-02-27 07:29:49

Re: [SOLVED] Forward traffic from LXC to external port

#4 2026-02-27 14:43:39

Re: [SOLVED] Forward traffic from LXC to external port

#5 2026-02-27 18:22:32

Re: [SOLVED] Forward traffic from LXC to external port

#6 2026-02-27 19:04:02

Re: [SOLVED] Forward traffic from LXC to external port

#7 2026-02-27 21:40:57

Re: [SOLVED] Forward traffic from LXC to external port

Board footer