iptables blocks DNS requests at lxc container

Kernels & Hardware, configuring network, installing services

iptables blocks DNS requests at lxc container

Postby netpumber » 2017-04-19 19:09

Hello.

I'm new at using LXC containers, and try to follow this guide to setup an openvpn server into an lxc container.

So @ HOST machine i have only these two iptables rules
Code: Select all
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194


Code: Select all
*filter
:INPUT ACCEPT [222:25943]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [200:31470]
COMMIT
# Completed on Wed Apr 19 19:47:31 2017
# Generated by iptables-save v1.4.21 on Wed Apr 19 19:47:31 2017
*nat
:PREROUTING ACCEPT [30:1828]
:INPUT ACCEPT [30:1828]
:OUTPUT ACCEPT [4:255]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT


while @ guest

Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o veth0 -j MASQUERADE


Code: Select all
*filter
:INPUT ACCEPT [69:7230]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49:5159]
COMMIT
# Completed on Wed Apr 19 19:48:36 2017
# Generated by iptables-save v1.4.21 on Wed Apr 19 19:48:36 2017
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [11:560]
:POSTROUTING ACCEPT [11:560]
-A POSTROUTING -s 10.8.0.0/24 -o veth0 -j MASQUERADE
COMMIT


Here is the configuration of the lxc container

1) Created a bridge device (br0) @ host [/etc/network/interfaces]

Code: Select all
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

# Bridge interface
auto br0
iface br0 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
bridge_ports none
bridge_fd 2.0
bridge_maxwait 1


2) Link it with lxc container's veth0 interface [/var/lib/lxc/VPN/config]

Code: Select all
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
# Parameters passed to the template: -r jessie
# For additional config options, please look at lxc.container.conf(5)
#lxc.network.type = empty
lxc.rootfs = /var/lib/lxc/VPN/rootfs

# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf

# Container specific configuration
lxc.mount = /var/lib/lxc/VPN/fstab
lxc.utsname = VPN
lxc.arch = amd64
lxc.autodev = 1
lxc.kmsg = 0
lxc.start.auto = 1

# Network config
lxc.network.type = veth
lxc.network.veth.pair = vethVPN
lxc.network.name = veth0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:42:1d:a7
lxc.network.link = br0

## for openvpn
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow = c 10:200 rwm



and 3) assign a static ip @ guest machine [/etc/network/interfaces]

Code: Select all
auto lo
iface lo inet loopback

#auto eth0
#iface eth0 inet dhcp

auto veth0
iface veth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1


4) A dnsmasq is running @ host listening on br0 interface.

The think is that when I'm connecting to the vpn server, vpn client cannot ping http://www.google.com and cannot visit any site because as I understand something is getting wrong with the DNS requests.

Any idea on how to approach such an issue ? Maybe my configs suck because I'm new at lxc containers and iptables ideas.

Thank you.
netpumber
 
Posts: 10
Joined: 2007-10-07 18:25

Re: iptables blocks DNS requests at lxc container

Postby netpumber » 2017-04-21 15:48

No idea at all ?

Will the content of server.conf and client.conf be helpful if posted here ?
netpumber
 
Posts: 10
Joined: 2007-10-07 18:25


Return to System configuration

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable