Using a bridge, an LXC container can’t ping router, but the host OS can

bridgelxcnetworkingvirtualbox

I've got a virtual machine running under virtualbox, and in that virtual machine I've got an LXC container I'm trying to bridge to virtualbox's NAT interface:

-------------      -----------      -----------      ----------      ----------
| LXC       | ---> | Host OS | ---> | Virtual | ---> | Laptop | ---> | Router |
| Container |      | Linxu   |      | Box     |      |        |      |        |
-------------      -----------      -----------      ----------      ----------
eth0 10.1.0.35     br0 <-> eth0     NAT GW:          192.168.1.33    GW:
gw 10.1.0.2        br0 10.1.0.5      10.1.0.2/16                      192.168.1.1
                   gw 10.1.0.2

Ping 10.1.0.2      ping 10.1.0.2
 FAIL               OK

I cannot ping from the LXC container to the virtualbox gateway, but I can from the Host OS.

Note: running tcpdump on the host OS, I can sing pings being sent from the container to the router, and the reply from the router to the container, but tcpdump on the container shows no traffic.

LXC eth0

eth0      Link encap:Ethernet  HWaddr 00:16:3e:ed:82:b8
          inet addr:10.1.0.35  Bcast:10.1.255.255  Mask:255.255.0.0
          inet6 addr: fe80::216:3eff:feed:82b8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:585 errors:0 dropped:0 overruns:0 frame:0
          TX packets:588 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:58003 (58.0 KB)  TX bytes:56447 (56.4 KB)

Host OS:

root@ubuntuserver:/# ifconfig
br0       Link encap:Ethernet  HWaddr 08:00:27:ca:5f:7a
          inet addr:10.1.0.5  Bcast:10.1.255.255  Mask:255.255.0.0
          inet6 addr: fe80::a00:27ff:feca:5f7a/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:2012 errors:0 dropped:0 overruns:0 frame:0
          TX packets:882 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:158794 (158.7 KB)  TX bytes:139083 (139.0 KB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:ca:5f:7a
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:2968 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2404 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:281188 (281.1 KB)  TX bytes:312109 (312.1 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:180 errors:0 dropped:0 overruns:0 frame:0
          TX packets:180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:14376 (14.3 KB)  TX bytes:14376 (14.3 KB)

vethStvXMU Link encap:Ethernet  HWaddr fe:9a:36:3a:84:1c
          inet6 addr: fe80::fc9a:36ff:fe3a:841c/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:557 errors:0 dropped:0 overruns:0 frame:0
          TX packets:554 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:53465 (53.4 KB)  TX bytes:55003 (55.0 KB)


root@ubuntuserver:/# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.080027ca5f7a       no              eth0
                                                        vethStvXMU

Best Answer

Try adding the following iptables rules:

iptables -A POSTROUTING -s 10.1.0/24 -o vmbr0 -j SNAT --to-source 148.251.79.108
iptables -A POSTROUTING -s 192.168.10.0/24 -o vmbr0 -j MASQUERADE
Related Question