Hi, I'm running on firewalld on Fedora 35 and I've installed lxd. The problem is that lxd containers can reach the host, but not the internet.
This the firewalld configuration: FedoraServer target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: wlp108s0 sources: services: dhcpv6-client mdns samba-client ssh ports: 1025-65535/udp 1025-65535/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
docker (active) target: ACCEPT icmp-block-inversion: no interfaces: docker0 sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
drop (active) target: DROP icmp-block-inversion: no interfaces: sources: ipset:crowdsec-blacklists services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: yes masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
home target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
internal target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
libvirt target: ACCEPT icmp-block-inversion: no interfaces: sources: services: dhcp dhcpv6 dns ssh tftp ports: protocols: icmp ipv6-icmp forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject
nm-shared target: ACCEPT icmp-block-inversion: no interfaces: sources: services: dhcp dns ssh ports: protocols: icmp ipv6-icmp forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject
public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: lxdbr0 sources: services: ports: protocols: forward: yes masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
work target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
I've trying also what is documented at https://linuxcontainers.org/lxd/docs/master/networks/#
Just in case the routes on container are:
default via 10.230.54.1 dev eth0 proto dhcp metric 100 10.230.54.0/24 dev eth0 proto kernel scope link src 10.230.54.220 metric 100 Please could you help and tell me if I am doing something wrong? Thanks in advance!
El lun, 7 feb 2022 a las 20:02, Sergio Belkin (sebelk@gmail.com) escribió:
Hi, I'm running on firewalld on Fedora 35 and I've installed lxd. The problem is that lxd containers can reach the host, but not the internet.
This the firewalld configuration: FedoraServer target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: wlp108s0 sources: services: dhcpv6-client mdns samba-client ssh ports: 1025-65535/udp 1025-65535/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
docker (active) target: ACCEPT icmp-block-inversion: no interfaces: docker0 sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
drop (active) target: DROP icmp-block-inversion: no interfaces: sources: ipset:crowdsec-blacklists services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: yes masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
home target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
internal target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
libvirt target: ACCEPT icmp-block-inversion: no interfaces: sources: services: dhcp dhcpv6 dns ssh tftp ports: protocols: icmp ipv6-icmp forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject
nm-shared target: ACCEPT icmp-block-inversion: no interfaces: sources: services: dhcp dns ssh ports: protocols: icmp ipv6-icmp forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject
public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: lxdbr0 sources: services: ports: protocols: forward: yes masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
work target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
I've trying also what is documented at https://linuxcontainers.org/lxd/docs/master/networks/#
Just in case the routes on container are:
default via 10.230.54.1 dev eth0 proto dhcp metric 100 10.230.54.0/24 dev eth0 proto kernel scope link src 10.230.54.220 metric 100 Please could you help and tell me if I am doing something wrong? Thanks in advance!
--
Sergio Belkin LPIC-2 Certified - http://www.lpi.org
I've made a ugly and temporary work-around: iptables -I FORWARD -i lxdbr0 -j ACCEPT iptables -I FORWARD -o lxdbr0 -j ACCEPT
And it works, I don't understand why those rules are needed, AFAIK 'trusted' zone "All network connections are accepted." Am I missing something? Thanks in advance!
On Mon, Feb 07, 2022 at 09:13:23PM -0300, Sergio Belkin wrote:
El lun, 7 feb 2022 a las 20:02, Sergio Belkin (sebelk@gmail.com) escribió:
Hi, I'm running on firewalld on Fedora 35 and I've installed lxd. The problem is that lxd containers can reach the host, but not the internet.
This the firewalld configuration: FedoraServer target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: wlp108s0 sources: services: dhcpv6-client mdns samba-client ssh ports: 1025-65535/udp 1025-65535/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
docker (active) target: ACCEPT icmp-block-inversion: no interfaces: docker0 sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
drop (active) target: DROP icmp-block-inversion: no interfaces: sources: ipset:crowdsec-blacklists services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: yes masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
home target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
internal target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
libvirt target: ACCEPT icmp-block-inversion: no interfaces: sources: services: dhcp dhcpv6 dns ssh tftp ports: protocols: icmp ipv6-icmp forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject
nm-shared target: ACCEPT icmp-block-inversion: no interfaces: sources: services: dhcp dns ssh ports: protocols: icmp ipv6-icmp forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject
public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: lxdbr0 sources: services: ports: protocols: forward: yes masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
work target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
I've trying also what is documented at https://linuxcontainers.org/lxd/docs/master/networks/#
Just in case the routes on container are:
default via 10.230.54.1 dev eth0 proto dhcp metric 100 10.230.54.0/24 dev eth0 proto kernel scope link src 10.230.54.220 metric 100 Please could you help and tell me if I am doing something wrong? Thanks in advance!
--
Sergio Belkin LPIC-2 Certified - http://www.lpi.org
I've made a ugly and temporary work-around: iptables -I FORWARD -i lxdbr0 -j ACCEPT iptables -I FORWARD -o lxdbr0 -j ACCEPT
And it works, I don't understand why those rules are needed, AFAIK 'trusted' zone "All network connections are accepted." Am I missing something?
LXD is probably adding it's own iptables rules. Those will execute _before_ firewalld's rules. So if they drop, firewalld never sees the packets.
Your iptables rules are injecting accept rules before the other rules.
Can you show `iptables-save`? It'll show us the rules added by LXD.
firewalld-users@lists.fedorahosted.org