You are not logged in.
- Topics: Active | Unanswered
#1 2025-08-06 21:51:58
- gattu_marrudu
- Member
- Registered: 2008-03-29
- Posts: 80
[SOLVED] Forward incoming traffic to LXC
Hi there,
I am setting up a mail server with lxc. My server is running and accepting connections on ports 993 and 587. I set up the firewall using ufw as indicated in the Archwiki guide.
Now, I can't get to forward traffic on the same ports on the host to my container, even after reading several blog posts and BBS conversations on the topic.
My current /etc/ufw/before.rules (10.0.3.10 is my mail server container):
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -m state -d 10.0.3.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i enp6s0 -p tcp --dport 587 -j DNAT --to-destination 10.0.3.10:587
-A PREROUTING -i enp6s0 -p tcp --dport 993 -j DNAT --to-destination 10.0.3.10:993
COMMITI also set net/ipv4/ip_forward=1 in /etc/ufw/sysctl.conf.
My ufw status output:
$ sudo ufw status verbose
[sudo] password for ste:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22 LIMIT IN Anywhere
993/tcp ALLOW IN Anywhere
587/tcp ALLOW IN Anywhere
Anywhere on lxcbr0 ALLOW IN Anywhere
22 (v6) LIMIT IN Anywhere (v6)
993/tcp (v6) ALLOW IN Anywhere (v6)
587/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) on lxcbr0 ALLOW IN Anywhere (v6)
Anywhere ALLOW FWD Anywhere on lxcbr0
Anywhere on lxcbr0 ALLOW FWD Anywhere
Anywhere (v6) ALLOW FWD Anywhere (v6) on lxcbr0
Anywhere (v6) on lxcbr0 ALLOW FWD Anywhere (v6) But still:
$ nc -zv 10.0.3.10 993
Connection to 10.0.3.10 993 port [tcp/imaps] succeeded!
$ nc -zv localhost 993
nc: connect to localhost (::1) port 993 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 993 (tcp) failed: Connection refusedAny help would be appreciated.
gm
Last edited by gattu_marrudu (2025-08-26 18:23:10)
Offline
#2 2025-08-08 18:30:12
- gattu_marrudu
- Member
- Registered: 2008-03-29
- Posts: 80
Re: [SOLVED] Forward incoming traffic to LXC
Update: looking at dmesg with ufw logging turned to "high", I get this:
## nc -zv <host-ip> 993 -> connection refused
[21930.005559] [UFW AUDIT] IN= OUT=lxcbr0 SRC=fe80:0000:0000:0000:1266:6aff:fe00:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=128 TC=192 HOPLIMIT=255 FLOWLBL=475055 PROTO=ICMPv6 TYPE=134 CODE=0
[21930.005588] [UFW AUDIT] IN=lxcbr0 OUT= MAC= SRC=fe80:0000:0000:0000:1266:6aff:fe00:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=128 TC=192 HOPLIMIT=255 FLOWLBL=475055 PROTO=ICMPv6 TYPE=134 CODE=0 ## nc -zv 10.0.3.10 993 -> success
[21716.545957] [UFW ALLOW] IN= OUT=lxcbr0 SRC=10.0.3.1 DST=10.0.3.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14567 DF PROTO=TCP SPT=39062 DPT=993 WINDOW=64240 RES=0x00 SYN URGP=0 I am not sure how to interpret the outputs. If I open 993 on the host with "nc -l 993", I can connect from my host.
Any hints?
Thanks,
gm
Offline
#3 2025-08-08 20:52:55
- macromal
- Member
- Registered: 2024-08-03
- Posts: 40
- Website
Re: [SOLVED] Forward incoming traffic to LXC
You need to explicitly allow forwarding from the host to the container:
-A FORWARD -d 10.0.3.10 -p tcp --dport 993 -j ACCEPT
-A FORWARD -d 10.0.3.10 -p tcp --dport 587 -j ACCEPTOffline
#4 2025-08-08 21:48:23
- gattu_marrudu
- Member
- Registered: 2008-03-29
- Posts: 80
Re: [SOLVED] Forward incoming traffic to LXC
Thanks. I added those lines to the filter section but I still can't get to the container.
Offline
#5 2025-08-09 08:54:10
- macromal
- Member
- Registered: 2024-08-03
- Posts: 40
- Website
Re: [SOLVED] Forward incoming traffic to LXC
To allow the container to send responses back to the host, you can add a POSTROUTING rule in the NAT table. This rule will modify the source address of packets leaving the container so that they appear to come from the host's IP address. Add the following line to your NAT rules:
-A POSTROUTING -s 10.0.3.10 -o enp6s0 -j MASQUERADEOffline
#6 2025-08-10 00:03:02
- gattu_marrudu
- Member
- Registered: 2008-03-29
- Posts: 80
Re: [SOLVED] Forward incoming traffic to LXC
Still no luck... This is a brand new Arch system, with practically only lxc and some basic tools like ufw on it.
This is a dump of my raw ufw table (only IPV4, sorry for the verbosity):
IPV4 (raw):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1697 148894 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
1697 148894 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
20 1570 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
1 88 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
1 88 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
1 88 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lxcbr0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 10.0.3.0/24 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.3.10 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.3.10 tcp dpt:587
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1683 154892 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1683 154892 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
2 148 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
2 148 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
2 148 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
2 148 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
19 1482 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
2 100 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1675 147224 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
19 1482 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
19 1482 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
2 100 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1679 154644 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 60 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
19 1482 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
19 1482 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lxcbr0 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
0 0 ACCEPT all -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
0 0 ufw-user-limit tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: 255.255.255.255
0 0 ufw-user-limit-accept tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain ufw-user-limit (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:10.0.3.10:587
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:10.0.3.10:993
Chain INPUT (policy ACCEPT 3 packets, 444 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * enp6s0 10.0.3.10 0.0.0.0/0
0 0 MASQUERADE all -- * * 10.0.3.0/24 !10.0.3.0/24
Chain PREROUTING (policy ACCEPT 1698 packets, 148982 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1699 packets, 149070 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1685 packets, 155068 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1684 packets, 154980 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Offline
#7 2025-08-16 10:20:57
- macromal
- Member
- Registered: 2024-08-03
- Posts: 40
- Website
Re: [SOLVED] Forward incoming traffic to LXC
Check the routing table on your host with the following command:
ip routeOffline
#8 2025-08-18 03:25:22
- gattu_marrudu
- Member
- Registered: 2008-03-29
- Posts: 80
Re: [SOLVED] Forward incoming traffic to LXC
$ ip route
default via 192.168.1.1 dev enp6s0 proto dhcp src 192.168.1.23 metric 1002
10.0.3.0/24 dev lxcbr0 proto kernel scope link src 10.0.3.1
192.168.1.0/24 dev enp6s0 proto dhcp scope link src 192.168.1.23 metric 1002 Offline
#9 2025-08-18 07:24:05
- -thc
- Member
- Registered: 2017-03-15
- Posts: 996
Re: [SOLVED] Forward incoming traffic to LXC
According to the Wiki you need to
- allow incoming traffic to the bridge
- allow forwarding from the bridge to the host interface and vice versa
- explicitly activate port forwarding
IP forwarding must be enabled on the host (sysctl). Don't use the loopback interface for testing.
If you have done all of this - I can only guess that the connection from the virtual container interface to the bridge is somehow dysfunctional.
Online
#10 2025-08-19 21:06:57
- macromal
- Member
- Registered: 2024-08-03
- Posts: 40
- Website
Re: [SOLVED] Forward incoming traffic to LXC
Try disabling the firewall to see if the problem persists and if it is related to the firewall.
Offline
#11 2025-08-19 21:14:45
- gattu_marrudu
- Member
- Registered: 2008-03-29
- Posts: 80
Re: [SOLVED] Forward incoming traffic to LXC
Hi there,
I have tried all sorts of combinations, even with a fresh container running a static HTTP server on port 8080, nothing... I can get to the server on its local address, but not through my host's IP address.
I also tried disabling ufw, and that doesn't work either. I assume I need some firewall rules to forward ports to a specific container, right?
Just for debugging purposes, is it possible to just set up some forwarding rules with iptables and disable all other firewall rules?
Offline
#12 2025-08-19 21:32:29
- gattu_marrudu
- Member
- Registered: 2008-03-29
- Posts: 80
Re: [SOLVED] Forward incoming traffic to LXC
What I tried (to access container at 10.0.3.3 on port 8080):
# ufw disable
Firewall stopped and disabled on system startup
# iptables -P FORWARD ACCEPT
# iptables -t nat -A POSTROUTING -s 10.0.3.3/24 -o enp6s0 -j MASQUERADE
# iptables -t nat -A PREROUTING -i enp6s0 -p tcp --dport 8080 -j DNAT --to-destination 10.0.3.3:8080
# nc -zv 10.0.3.3 8080
Connection to 10.0.3.3 8080 port [tcp/http-alt] succeeded!
# nc -zv 192.168.1.23 8080
nc: connect to 192.168.1.23 port 8080 (tcp) failed: Connection refusedOffline
#13 2025-08-25 22:18:13
- gattu_marrudu
- Member
- Registered: 2008-03-29
- Posts: 80
Re: [SOLVED] Forward incoming traffic to LXC
Logging packets with the above rules, I get this:
Aug 25 18:10:27 host kernel: Dropped: IN=lxcbr0 OUT= MAC=XXXXXXXXXXXXXX SRC=10.0.3.3 DST=10.0.>
Aug 25 18:10:27 host dnsmasq-dhcp[1006]: DHCPREQUEST(lxcbr0) 10.0.3.3 XXXXXXXXXXXXXX
Aug 25 18:10:27 host dnsmasq-dhcp[1006]: DHCPACK(lxcbr0) 10.0.3.3 XXXXXXXXXXXXXX test1
Aug 25 18:10:27 host kernel: Dropped: IN= OUT=lxcbr0 SRC=10.0.3.1 DST=10.0.3.3 LEN=328 TOS=0x00 PREC=0xC0 TTL=64 ID=55836>(10.0.3.3 is the lxc and 192.168.1.29 the host)
Last edited by gattu_marrudu (2025-08-25 22:18:37)
Offline
#14 2025-08-26 05:27:30
- -thc
- Member
- Registered: 2017-03-15
- Posts: 996
Re: [SOLVED] Forward incoming traffic to LXC
After disabling the (ufw) firewall and enabling your rules you still get a DROP on incoming/outgoing packets from "lxcbr0" with a log prefix "Dropped: "? How is that possible? Is there another firewall active? Is the chain policy on the IN/OUT chains "DROP"?
Online
#15 2025-08-26 13:55:57
- gattu_marrudu
- Member
- Registered: 2008-03-29
- Posts: 80
Re: [SOLVED] Forward incoming traffic to LXC
No other firewall that I can see:
# lxc-attach test1
[root@test1 ~]# iptables -nvL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@test1 ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@test1 ~]# darkhttpd /var/www/test/ --port 8080 --daemon
darkhttpd/1.17, copyright (c) 2003-2025 Emil Mikulic.
listening on: http://0.0.0.0:8080/On host:
# ufw status
Status: inactive
# iptables -nvL -t filter --line-numbers
Chain INPUT (policy ACCEPT 13058 packets, 1145K bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 10.0.3.0/24 state NEW,RELATED,ESTABLISHED
2 0 0 ACCEPT all -- * lxcbr0 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 12797 packets, 1150K bytes)
num pkts bytes target prot opt in out source destination
# iptables -nvL -t nat --line-numbers
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- enp6s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:10.0.3.54:8080
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 300 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5 packets, 300 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * enp6s0 10.0.3.0/24 0.0.0.0/0(10.0.3.54 is the new IP address of the container, it keeps changing even if I set a static one in /etc/lxc/dnsmasq.conf, but I'll look into that later--unless it's related to this problem)
I also tried a different setup with systemd-nspawn, but that got complicated and I had to leave that.
Offline
#16 2025-08-26 16:45:25
- -thc
- Member
- Registered: 2017-03-15
- Posts: 996
Re: [SOLVED] Forward incoming traffic to LXC
I tried to simulate this in a virtual environment and got the same outcome.
You actually cannot test NAT from the host itself. Even using the hosts IP address will lead to pure loopback traffic - you can verify this by separately logging INPUT packets to "lo" and "enp0s6". The packets will be "lo" packets and will never match the NAT rules. You have to test the NAT from another machine.
Take a look (host) at
/var/lib/misc/dnsmasq.lxcbr0.leases- does your container change it's MAC address?
Online
#17 2025-08-26 18:22:52
- gattu_marrudu
- Member
- Registered: 2008-03-29
- Posts: 80
Re: [SOLVED] Forward incoming traffic to LXC
That was it! I guess the firewall might have been working all along, I just could not test it from the same machine. I can now see traffic served from the container from another machine using the minimal iptables setup. I will try enabling ufw and see if that works too.
After rebooting, the container picked up the correct IP address automatically. I guess that experimenting with iptables may have disrupted the connection with the container.
Thanks so much for helping me resolve this, it's been over a month of head banging and almost giving up on LXC...
Offline