LXC network port forward

Fórumok

Üdv,

LXC-ben (nem lxd) hogyan érdemes/kell a port forwardot beállítani? Tehát mint a Docker-ben a hoszt egy portjára érkező kéréseket átdobja az adott portra a konténernek.

Vagy itt tűzfal (firewalld) szabályt kell beállítani?

  • OS: Fedora 40
  • lxc: 6.0.1

Hozzászólások

Szerkesztve: 2024. 09. 28., szo – 16:16

altalanossagban, ha bridge-elve vannak a guest vm/kontener halozati interfeszek a hosttal, akkor a routeren kell a portforwardot beallitani, ha a hoston kulon helyi halozat van, akkor a hoston kell snat/dnat.

mi a halozati topologia?

bocs kicsit messzirol inditottam.

en megprobalnam amit a hoston amugy is hasznalok, ez lehet firewalld, nft, iptables, stb.

neked aztan fura humorod van...

Szerkesztve: 2024. 09. 29., v – 10:57

Próbálgatom:

  • hoszt: 192.168.1.70/24
  • lxc konténer: 192.168.122.236/24 (virbr0)

konténerben fut egy teszt httpd. curl el is éri. curl http://192.168.122.236  -> OK

Beállítom a firewalld szabályt (public zóna: eno0 interfész 192.168.1.70): 

firewall-cmd --zone=public --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.122.236

De nem érem el a konténert:

# curl http://192.168.1.70:8080
curl: (7) Failed to connect to 192.168.1.70 port 8080 after 0 ms: Couldn't connect to server

Mi hiányzik?

mert nincs oka ra, mert nem kivulrol jon a keres.

de ha ki tudod probalni egy kulso cimrol meglatjuk.

ha a portforward a helyen van, a kulso cimrol mukodnie kell.

altalaban letesztelnem elotte, hogy ne mondjak hulyeseget, de most nem tudom. :)

neked aztan fura humorod van...

kívülről sem megy.

Ezzel is ugyanaz:

firewall-cmd --zone=public --add-forward
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="192.168.1.70" forward-port port="8080" protocol="tcp" to-port="80" to-addr="192.168.122.236"'

Alapállapotban (zone=FedoraWorkstation):

table ip6 lxc {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip6 saddr fc11:4514:1919:810::/64 ip6 daddr != fc11:4514:1919:810::/64 counter packets 2 bytes 281 masquerade
	}
}
table inet lxc {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lxcbr0" udp dport { 53, 67 } accept
		iifname "lxcbr0" tcp dport { 53, 67 } accept
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		iifname "lxcbr0" accept
		oifname "lxcbr0" accept
	}
}
table ip lxc {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.0.3.0/24 ip daddr != 10.0.3.0/24 counter packets 1 bytes 234 masquerade
	}
}
table inet firewalld {
	ct helper helper-netbios-ns-udp {
		type "netbios-ns" protocol udp
		l3proto ip
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority mangle + 10; policy accept;
		jump mangle_PREROUTING_POLICIES
	}

	chain mangle_PREROUTING_POLICIES {
		iifname "eno1" jump mangle_PRE_policy_allow-host-ipv6
		iifname "eno1" jump mangle_PRE_FedoraWorkstation
		iifname "eno1" return
		jump mangle_PRE_policy_allow-host-ipv6
		jump mangle_PRE_FedoraWorkstation
		return
	}

	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_POLICIES
	}

	chain nat_PREROUTING_POLICIES {
		iifname "eno1" jump nat_PRE_policy_allow-host-ipv6
		iifname "eno1" jump nat_PRE_FedoraWorkstation
		iifname "eno1" return
		jump nat_PRE_policy_allow-host-ipv6
		jump nat_PRE_FedoraWorkstation
		return
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_POLICIES
	}

	chain nat_POSTROUTING_POLICIES {
		iifname "eno1" oifname "eno1" jump nat_POST_FedoraWorkstation
		iifname "eno1" oifname "eno1" return
		oifname "eno1" jump nat_POST_FedoraWorkstation
		oifname "eno1" return
		iifname "eno1" jump nat_POST_FedoraWorkstation
		iifname "eno1" return
		jump nat_POST_FedoraWorkstation
		return
	}

	chain nat_OUTPUT {
		type nat hook output priority dstnat + 10; policy accept;
		jump nat_OUTPUT_POLICIES
	}

	chain nat_OUTPUT_POLICIES {
		oifname "eno1" jump nat_OUT_FedoraWorkstation
		oifname "eno1" return
		jump nat_OUT_FedoraWorkstation
		return
	}

	chain filter_PREROUTING {
		type filter hook prerouting priority filter + 10; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . mark . iif oif missing drop
	}

	chain filter_INPUT {
		type filter hook input priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		jump filter_INPUT_POLICIES
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_FORWARD_POLICIES
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority filter + 10; policy accept;
		ct state { established, related } accept
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_OUTPUT_POLICIES
	}

	chain filter_INPUT_POLICIES {
		iifname "eno1" jump filter_IN_policy_allow-host-ipv6
		iifname "eno1" jump filter_IN_FedoraWorkstation
		iifname "eno1" reject with icmpx admin-prohibited
		jump filter_IN_policy_allow-host-ipv6
		jump filter_IN_FedoraWorkstation
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD_POLICIES {
		iifname "eno1" oifname "eno1" jump filter_FWD_FedoraWorkstation
		iifname "eno1" oifname "eno1" reject with icmpx admin-prohibited
		iifname "eno1" jump filter_FWD_FedoraWorkstation
		iifname "eno1" reject with icmpx admin-prohibited
		oifname "eno1" jump filter_FWD_FedoraWorkstation
		oifname "eno1" reject with icmpx admin-prohibited
		jump filter_FWD_FedoraWorkstation
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT_POLICIES {
		oifname "eno1" jump filter_OUT_FedoraWorkstation
		oifname "eno1" return
		jump filter_OUT_FedoraWorkstation
		return
	}

	chain filter_IN_FedoraWorkstation {
		jump filter_IN_FedoraWorkstation_pre
		jump filter_IN_FedoraWorkstation_log
		jump filter_IN_FedoraWorkstation_deny
		jump filter_IN_FedoraWorkstation_allow
		jump filter_IN_FedoraWorkstation_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_FedoraWorkstation_pre {
	}

	chain filter_IN_FedoraWorkstation_log {
	}

	chain filter_IN_FedoraWorkstation_deny {
	}

	chain filter_IN_FedoraWorkstation_allow {
		ip6 daddr fe80::/64 udp dport 546 accept
		tcp dport 22 accept
		udp dport 137 ct helper set "helper-netbios-ns-udp"
		udp dport 137 accept
		udp dport 138 accept
		ip daddr 224.0.0.251 udp dport 5353 accept
		ip6 daddr ff02::fb udp dport 5353 accept
		udp dport 1025-65535 accept
		tcp dport 1025-65535 accept
	}

	chain filter_IN_FedoraWorkstation_post {
	}

	chain filter_OUT_FedoraWorkstation {
		jump filter_OUT_FedoraWorkstation_pre
		jump filter_OUT_FedoraWorkstation_log
		jump filter_OUT_FedoraWorkstation_deny
		jump filter_OUT_FedoraWorkstation_allow
		jump filter_OUT_FedoraWorkstation_post
	}

	chain filter_OUT_FedoraWorkstation_pre {
	}

	chain filter_OUT_FedoraWorkstation_log {
	}

	chain filter_OUT_FedoraWorkstation_deny {
	}

	chain filter_OUT_FedoraWorkstation_allow {
	}

	chain filter_OUT_FedoraWorkstation_post {
	}

	chain nat_OUT_FedoraWorkstation {
		jump nat_OUT_FedoraWorkstation_pre
		jump nat_OUT_FedoraWorkstation_log
		jump nat_OUT_FedoraWorkstation_deny
		jump nat_OUT_FedoraWorkstation_allow
		jump nat_OUT_FedoraWorkstation_post
	}

	chain nat_OUT_FedoraWorkstation_pre {
	}

	chain nat_OUT_FedoraWorkstation_log {
	}

	chain nat_OUT_FedoraWorkstation_deny {
	}

	chain nat_OUT_FedoraWorkstation_allow {
	}

	chain nat_OUT_FedoraWorkstation_post {
	}

	chain nat_POST_FedoraWorkstation {
		jump nat_POST_FedoraWorkstation_pre
		jump nat_POST_FedoraWorkstation_log
		jump nat_POST_FedoraWorkstation_deny
		jump nat_POST_FedoraWorkstation_allow
		jump nat_POST_FedoraWorkstation_post
	}

	chain nat_POST_FedoraWorkstation_pre {
	}

	chain nat_POST_FedoraWorkstation_log {
	}

	chain nat_POST_FedoraWorkstation_deny {
	}

	chain nat_POST_FedoraWorkstation_allow {
		meta nfproto ipv4 oifname != "lo" masquerade
	}

	chain nat_POST_FedoraWorkstation_post {
	}

	chain filter_FWD_FedoraWorkstation {
		jump filter_FWD_FedoraWorkstation_pre
		jump filter_FWD_FedoraWorkstation_log
		jump filter_FWD_FedoraWorkstation_deny
		jump filter_FWD_FedoraWorkstation_allow
		jump filter_FWD_FedoraWorkstation_post
	}

	chain filter_FWD_FedoraWorkstation_pre {
	}

	chain filter_FWD_FedoraWorkstation_log {
	}

	chain filter_FWD_FedoraWorkstation_deny {
	}

	chain filter_FWD_FedoraWorkstation_allow {
	}

	chain filter_FWD_FedoraWorkstation_post {
	}

	chain nat_PRE_FedoraWorkstation {
		jump nat_PRE_FedoraWorkstation_pre
		jump nat_PRE_FedoraWorkstation_log
		jump nat_PRE_FedoraWorkstation_deny
		jump nat_PRE_FedoraWorkstation_allow
		jump nat_PRE_FedoraWorkstation_post
	}

	chain nat_PRE_FedoraWorkstation_pre {
	}

	chain nat_PRE_FedoraWorkstation_log {
	}

	chain nat_PRE_FedoraWorkstation_deny {
	}

	chain nat_PRE_FedoraWorkstation_allow {
	}

	chain nat_PRE_FedoraWorkstation_post {
	}

	chain mangle_PRE_FedoraWorkstation {
		jump mangle_PRE_FedoraWorkstation_pre
		jump mangle_PRE_FedoraWorkstation_log
		jump mangle_PRE_FedoraWorkstation_deny
		jump mangle_PRE_FedoraWorkstation_allow
		jump mangle_PRE_FedoraWorkstation_post
	}

	chain mangle_PRE_FedoraWorkstation_pre {
	}

	chain mangle_PRE_FedoraWorkstation_log {
	}

	chain mangle_PRE_FedoraWorkstation_deny {
	}

	chain mangle_PRE_FedoraWorkstation_allow {
	}

	chain mangle_PRE_FedoraWorkstation_post {
	}

	chain filter_IN_policy_allow-host-ipv6 {
		jump filter_IN_policy_allow-host-ipv6_pre
		jump filter_IN_policy_allow-host-ipv6_log
		jump filter_IN_policy_allow-host-ipv6_deny
		jump filter_IN_policy_allow-host-ipv6_allow
		jump filter_IN_policy_allow-host-ipv6_post
	}

	chain filter_IN_policy_allow-host-ipv6_pre {
	}

	chain filter_IN_policy_allow-host-ipv6_log {
	}

	chain filter_IN_policy_allow-host-ipv6_deny {
	}

	chain filter_IN_policy_allow-host-ipv6_allow {
		icmpv6 type nd-neighbor-advert accept
		icmpv6 type nd-neighbor-solicit accept
		icmpv6 type nd-router-advert accept
		icmpv6 type nd-redirect accept
	}

	chain filter_IN_policy_allow-host-ipv6_post {
	}

	chain nat_PRE_policy_allow-host-ipv6 {
		jump nat_PRE_policy_allow-host-ipv6_pre
		jump nat_PRE_policy_allow-host-ipv6_log
		jump nat_PRE_policy_allow-host-ipv6_deny
		jump nat_PRE_policy_allow-host-ipv6_allow
		jump nat_PRE_policy_allow-host-ipv6_post
	}

	chain nat_PRE_policy_allow-host-ipv6_pre {
	}

	chain nat_PRE_policy_allow-host-ipv6_log {
	}

	chain nat_PRE_policy_allow-host-ipv6_deny {
	}

	chain nat_PRE_policy_allow-host-ipv6_allow {
	}

	chain nat_PRE_policy_allow-host-ipv6_post {
	}

	chain mangle_PRE_policy_allow-host-ipv6 {
		jump mangle_PRE_policy_allow-host-ipv6_pre
		jump mangle_PRE_policy_allow-host-ipv6_log
		jump mangle_PRE_policy_allow-host-ipv6_deny
		jump mangle_PRE_policy_allow-host-ipv6_allow
		jump mangle_PRE_policy_allow-host-ipv6_post
	}

	chain mangle_PRE_policy_allow-host-ipv6_pre {
	}

	chain mangle_PRE_policy_allow-host-ipv6_log {
	}

	chain mangle_PRE_policy_allow-host-ipv6_deny {
	}

	chain mangle_PRE_policy_allow-host-ipv6_allow {
	}

	chain mangle_PRE_policy_allow-host-ipv6_post {
	}
}

Ha kiadom a 

sudo firewall-cmd --zone=public --add-forward
sudo firewall-cmd --zone=public --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.122.236

Akkor is ugyanaz marad az nft list ruleset tartalma. :o

Ha kiadom a két firewalld szbályt --permanent opcióval és reload, akkor sem lehet kapcsolódni. Igaz akkor az nft szabályok között már szerepel két szabály.

table ip6 lxc {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip6 saddr fc11:4514:1919:810::/64 ip6 daddr != fc11:4514:1919:810::/64 counter packets 2 bytes 281 masquerade
	}
}
table inet lxc {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lxcbr0" udp dport { 53, 67 } accept
		iifname "lxcbr0" tcp dport { 53, 67 } accept
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		iifname "lxcbr0" accept
		oifname "lxcbr0" accept
	}
}
table ip lxc {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.0.3.0/24 ip daddr != 10.0.3.0/24 counter packets 1 bytes 234 masquerade
	}
}
table inet firewalld {
	ct helper helper-netbios-ns-udp {
		type "netbios-ns" protocol udp
		l3proto ip
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority mangle + 10; policy accept;
		jump mangle_PREROUTING_POLICIES
	}

	chain mangle_PREROUTING_POLICIES {
		iifname "eno1" jump mangle_PRE_policy_allow-host-ipv6
		iifname "eno1" jump mangle_PRE_FedoraWorkstation
		iifname "eno1" return
		jump mangle_PRE_policy_allow-host-ipv6
		jump mangle_PRE_FedoraWorkstation
		return
	}

	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_POLICIES
	}

	chain nat_PREROUTING_POLICIES {
		iifname "eno1" jump nat_PRE_policy_allow-host-ipv6
		iifname "eno1" jump nat_PRE_FedoraWorkstation
		iifname "eno1" return
		jump nat_PRE_policy_allow-host-ipv6
		jump nat_PRE_FedoraWorkstation
		return
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_POLICIES
	}

	chain nat_POSTROUTING_POLICIES {
		iifname "eno1" oifname "eno1" jump nat_POST_FedoraWorkstation
		iifname "eno1" oifname "eno1" return
		oifname "eno1" jump nat_POST_FedoraWorkstation
		oifname "eno1" return
		iifname "eno1" jump nat_POST_FedoraWorkstation
		iifname "eno1" return
		jump nat_POST_FedoraWorkstation
		return
	}

	chain nat_OUTPUT {
		type nat hook output priority dstnat + 10; policy accept;
		jump nat_OUTPUT_POLICIES
	}

	chain nat_OUTPUT_POLICIES {
		oifname "eno1" jump nat_OUT_FedoraWorkstation
		oifname "eno1" return
		jump nat_OUT_FedoraWorkstation
		return
	}

	chain filter_PREROUTING {
		type filter hook prerouting priority filter + 10; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . mark . iif oif missing drop
	}

	chain filter_INPUT {
		type filter hook input priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		jump filter_INPUT_POLICIES
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_FORWARD_POLICIES
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority filter + 10; policy accept;
		ct state { established, related } accept
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_OUTPUT_POLICIES
	}

	chain filter_INPUT_POLICIES {
		iifname "eno1" jump filter_IN_policy_allow-host-ipv6
		iifname "eno1" jump filter_IN_FedoraWorkstation
		iifname "eno1" reject with icmpx admin-prohibited
		jump filter_IN_policy_allow-host-ipv6
		jump filter_IN_FedoraWorkstation
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD_POLICIES {
		iifname "eno1" oifname "eno1" jump filter_FWD_FedoraWorkstation
		iifname "eno1" oifname "eno1" reject with icmpx admin-prohibited
		iifname "eno1" jump filter_FWD_FedoraWorkstation
		iifname "eno1" reject with icmpx admin-prohibited
		oifname "eno1" jump filter_FWD_FedoraWorkstation
		oifname "eno1" reject with icmpx admin-prohibited
		jump filter_FWD_FedoraWorkstation
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT_POLICIES {
		oifname "eno1" jump filter_OUT_FedoraWorkstation
		oifname "eno1" return
		jump filter_OUT_FedoraWorkstation
		return
	}

	chain filter_IN_FedoraWorkstation {
		jump filter_IN_FedoraWorkstation_pre
		jump filter_IN_FedoraWorkstation_log
		jump filter_IN_FedoraWorkstation_deny
		jump filter_IN_FedoraWorkstation_allow
		jump filter_IN_FedoraWorkstation_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_FedoraWorkstation_pre {
	}

	chain filter_IN_FedoraWorkstation_log {
	}

	chain filter_IN_FedoraWorkstation_deny {
	}

	chain filter_IN_FedoraWorkstation_allow {
		ip6 daddr fe80::/64 udp dport 546 accept
		tcp dport 22 accept
		udp dport 137 ct helper set "helper-netbios-ns-udp"
		udp dport 137 accept
		udp dport 138 accept
		ip daddr 224.0.0.251 udp dport 5353 accept
		ip6 daddr ff02::fb udp dport 5353 accept
		udp dport 1025-65535 accept
		tcp dport 1025-65535 accept
	}

	chain filter_IN_FedoraWorkstation_post {
	}

	chain filter_OUT_FedoraWorkstation {
		jump filter_OUT_FedoraWorkstation_pre
		jump filter_OUT_FedoraWorkstation_log
		jump filter_OUT_FedoraWorkstation_deny
		jump filter_OUT_FedoraWorkstation_allow
		jump filter_OUT_FedoraWorkstation_post
	}

	chain filter_OUT_FedoraWorkstation_pre {
	}

	chain filter_OUT_FedoraWorkstation_log {
	}

	chain filter_OUT_FedoraWorkstation_deny {
	}

	chain filter_OUT_FedoraWorkstation_allow {
	}

	chain filter_OUT_FedoraWorkstation_post {
	}

	chain nat_OUT_FedoraWorkstation {
		jump nat_OUT_FedoraWorkstation_pre
		jump nat_OUT_FedoraWorkstation_log
		jump nat_OUT_FedoraWorkstation_deny
		jump nat_OUT_FedoraWorkstation_allow
		jump nat_OUT_FedoraWorkstation_post
	}

	chain nat_OUT_FedoraWorkstation_pre {
	}

	chain nat_OUT_FedoraWorkstation_log {
	}

	chain nat_OUT_FedoraWorkstation_deny {
	}

	chain nat_OUT_FedoraWorkstation_allow {
	}

	chain nat_OUT_FedoraWorkstation_post {
	}

	chain nat_POST_FedoraWorkstation {
		jump nat_POST_FedoraWorkstation_pre
		jump nat_POST_FedoraWorkstation_log
		jump nat_POST_FedoraWorkstation_deny
		jump nat_POST_FedoraWorkstation_allow
		jump nat_POST_FedoraWorkstation_post
	}

	chain nat_POST_FedoraWorkstation_pre {
	}

	chain nat_POST_FedoraWorkstation_log {
	}

	chain nat_POST_FedoraWorkstation_deny {
	}

	chain nat_POST_FedoraWorkstation_allow {
		meta nfproto ipv4 oifname != "lo" masquerade
	}

	chain nat_POST_FedoraWorkstation_post {
	}

	chain filter_FWD_FedoraWorkstation {
		jump filter_FWD_FedoraWorkstation_pre
		jump filter_FWD_FedoraWorkstation_log
		jump filter_FWD_FedoraWorkstation_deny
		jump filter_FWD_FedoraWorkstation_allow
		jump filter_FWD_FedoraWorkstation_post
	}

	chain filter_FWD_FedoraWorkstation_pre {
	}

	chain filter_FWD_FedoraWorkstation_log {
	}

	chain filter_FWD_FedoraWorkstation_deny {
	}

	chain filter_FWD_FedoraWorkstation_allow {
		oifname "eno1" accept
	}

	chain filter_FWD_FedoraWorkstation_post {
	}

	chain nat_PRE_FedoraWorkstation {
		jump nat_PRE_FedoraWorkstation_pre
		jump nat_PRE_FedoraWorkstation_log
		jump nat_PRE_FedoraWorkstation_deny
		jump nat_PRE_FedoraWorkstation_allow
		jump nat_PRE_FedoraWorkstation_post
	}

	chain nat_PRE_FedoraWorkstation_pre {
	}

	chain nat_PRE_FedoraWorkstation_log {
	}

	chain nat_PRE_FedoraWorkstation_deny {
	}

	chain nat_PRE_FedoraWorkstation_allow {
		meta nfproto ipv4 tcp dport 8080 dnat ip to 192.168.122.236:80
	}

	chain nat_PRE_FedoraWorkstation_post {
	}

	chain mangle_PRE_FedoraWorkstation {
		jump mangle_PRE_FedoraWorkstation_pre
		jump mangle_PRE_FedoraWorkstation_log
		jump mangle_PRE_FedoraWorkstation_deny
		jump mangle_PRE_FedoraWorkstation_allow
		jump mangle_PRE_FedoraWorkstation_post
	}

	chain mangle_PRE_FedoraWorkstation_pre {
	}

	chain mangle_PRE_FedoraWorkstation_log {
	}

	chain mangle_PRE_FedoraWorkstation_deny {
	}

	chain mangle_PRE_FedoraWorkstation_allow {
	}

	chain mangle_PRE_FedoraWorkstation_post {
	}

	chain filter_IN_policy_allow-host-ipv6 {
		jump filter_IN_policy_allow-host-ipv6_pre
		jump filter_IN_policy_allow-host-ipv6_log
		jump filter_IN_policy_allow-host-ipv6_deny
		jump filter_IN_policy_allow-host-ipv6_allow
		jump filter_IN_policy_allow-host-ipv6_post
	}

	chain filter_IN_policy_allow-host-ipv6_pre {
	}

	chain filter_IN_policy_allow-host-ipv6_log {
	}

	chain filter_IN_policy_allow-host-ipv6_deny {
	}

	chain filter_IN_policy_allow-host-ipv6_allow {
		icmpv6 type nd-neighbor-advert accept
		icmpv6 type nd-neighbor-solicit accept
		icmpv6 type nd-router-advert accept
		icmpv6 type nd-redirect accept
	}

	chain filter_IN_policy_allow-host-ipv6_post {
	}

	chain nat_PRE_policy_allow-host-ipv6 {
		jump nat_PRE_policy_allow-host-ipv6_pre
		jump nat_PRE_policy_allow-host-ipv6_log
		jump nat_PRE_policy_allow-host-ipv6_deny
		jump nat_PRE_policy_allow-host-ipv6_allow
		jump nat_PRE_policy_allow-host-ipv6_post
	}

	chain nat_PRE_policy_allow-host-ipv6_pre {
	}

	chain nat_PRE_policy_allow-host-ipv6_log {
	}

	chain nat_PRE_policy_allow-host-ipv6_deny {
	}

	chain nat_PRE_policy_allow-host-ipv6_allow {
	}

	chain nat_PRE_policy_allow-host-ipv6_post {
	}

	chain mangle_PRE_policy_allow-host-ipv6 {
		jump mangle_PRE_policy_allow-host-ipv6_pre
		jump mangle_PRE_policy_allow-host-ipv6_log
		jump mangle_PRE_policy_allow-host-ipv6_deny
		jump mangle_PRE_policy_allow-host-ipv6_allow
		jump mangle_PRE_policy_allow-host-ipv6_post
	}

	chain mangle_PRE_policy_allow-host-ipv6_pre {
	}

	chain mangle_PRE_policy_allow-host-ipv6_log {
	}

	chain mangle_PRE_policy_allow-host-ipv6_deny {
	}

	chain mangle_PRE_policy_allow-host-ipv6_allow {
	}

	chain mangle_PRE_policy_allow-host-ipv6_post {
	}
}

a forward-ba bele tudsz tenni egy engedelyezest virbr0 fele?

tehat ide:

chain filter_FWD_FedoraWorkstation_allow {
    oifname "eno1" accept
}

egy ilyet:

chain filter_FWD_FedoraWorkstation_allow {
    oifname "eno1" accept
    oifname "virbr0" accept
}

 

 

neked aztan fura humorod van...

eno0-rol irsz, a tuzfalban meg eno1 van, ez szandekos? annyira nem fontos, mert ha jol latom miutan interfesszel beleteszi, utana interfesz nelkul is beleteszi ugyanazt az ugrast.

chain nat_PREROUTING_POLICIES {
    iifname "eno1" jump nat_PRE_policy_allow-host-ipv6
    iifname "eno1" jump nat_PRE_FedoraWorkstation
    iifname "eno1" return
    jump nat_PRE_policy_allow-host-ipv6
    jump nat_PRE_FedoraWorkstation
    return
}

tehat itt az iifname eno1 nem csinal semmit, az iifname nelkuli fogja megcsinalni amit akarsz, ha eno0-ad van.

neked aztan fura humorod van...

Van egy libvirt zóna a firewalld-ben:

# firewall-cmd --zone=libvirt --list-all
libvirt
  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: virbr0
  sources: 
  services: dhcp dhcpv6 dns ssh tftp
  ports: 
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule priority="32767" reject

De ez sem segít.

Szerkesztve: 2025. 03. 04., k – 22:40

Működik ez valakinek? Kívülről elérhetők egyáltalán az LXC konténerek? Így nem sok értelme van... :(

virbr0 interfész a libvirt zónában van:
firewall-cmd --zone=libvirt --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.122.143

konténer IP: 192.168.122.143

A "curl 192.168.122.143" működik? Apache teszt oldal megvan.
Miért nem jó a többi IP (hoszt) címről?

curl localhost:8080 

curl: (7) Failed to connect to localhost port 8080 after 0 ms: Couldn't connect to server

Debian 12 alatt működik. Igaz az iptables-ben csak néhány dst-nat sor van, a tűzfalazást külső router végzi.

Régebben volt olyan problémám, hogy ha a default bridge default ip tartományát (10.0.3.0/24) meg akartam változtatni az nem működött, mert a dnsmasq dhcp szervere rákonfigolja magát. Meg lehetett volna oldani, de egyszerűbb volt a szükséges ip tartománnyal egy új bridge interfészt beállítani. 

„Az összeomlás elkerülhetetlen, a katasztrófa valószínű, a kihalás lehetséges.” (Jem Bendell)