Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

iptables blocks DNS requests at lxc container

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
netpumber
Posts: 10
Joined: 2007-10-07 18:25

iptables blocks DNS requests at lxc container

#1 Post by netpumber »

Hello.

I'm new at using LXC containers, and try to follow this guide to setup an openvpn server into an lxc container.

So @ HOST machine i have only these two iptables rules

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194

Code: Select all

*filter
:INPUT ACCEPT [222:25943]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [200:31470]
COMMIT
# Completed on Wed Apr 19 19:47:31 2017
# Generated by iptables-save v1.4.21 on Wed Apr 19 19:47:31 2017
*nat
:PREROUTING ACCEPT [30:1828]
:INPUT ACCEPT [30:1828]
:OUTPUT ACCEPT [4:255]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
while @ guest

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o veth0 -j MASQUERADE

Code: Select all

*filter
:INPUT ACCEPT [69:7230]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49:5159]
COMMIT
# Completed on Wed Apr 19 19:48:36 2017
# Generated by iptables-save v1.4.21 on Wed Apr 19 19:48:36 2017
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [11:560]
:POSTROUTING ACCEPT [11:560]
-A POSTROUTING -s 10.8.0.0/24 -o veth0 -j MASQUERADE
COMMIT
Here is the configuration of the lxc container

1) Created a bridge device (br0) @ host [/etc/network/interfaces]

Code: Select all

auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

# Bridge interface
auto br0
iface br0 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
bridge_ports none
bridge_fd 2.0
bridge_maxwait 1
2) Link it with lxc container's veth0 interface [/var/lib/lxc/VPN/config]

Code: Select all

# Template used to create this container: /usr/share/lxc/templates/lxc-debian
# Parameters passed to the template: -r jessie
# For additional config options, please look at lxc.container.conf(5)
#lxc.network.type = empty
lxc.rootfs = /var/lib/lxc/VPN/rootfs

# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf

# Container specific configuration
lxc.mount = /var/lib/lxc/VPN/fstab
lxc.utsname = VPN
lxc.arch = amd64
lxc.autodev = 1
lxc.kmsg = 0
lxc.start.auto = 1

# Network config
lxc.network.type = veth
lxc.network.veth.pair = vethVPN
lxc.network.name = veth0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:42:1d:a7
lxc.network.link = br0

## for openvpn
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow = c 10:200 rwm

and 3) assign a static ip @ guest machine [/etc/network/interfaces]

Code: Select all

auto lo
iface lo inet loopback

#auto eth0
#iface eth0 inet dhcp

auto veth0
iface veth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1
4) A dnsmasq is running @ host listening on br0 interface.

The think is that when I'm connecting to the vpn server, vpn client cannot ping http://www.google.com and cannot visit any site because as I understand something is getting wrong with the DNS requests.

Any idea on how to approach such an issue ? Maybe my configs suck because I'm new at lxc containers and iptables ideas.

Thank you.

netpumber
Posts: 10
Joined: 2007-10-07 18:25

Re: iptables blocks DNS requests at lxc container

#2 Post by netpumber »

No idea at all ?

Will the content of server.conf and client.conf be helpful if posted here ?

Post Reply