[SOLVED] Apt upgrade not working anymore

[Kyreus]

Hey,
I created some new Containers today, all worked fine.
I don't know what I changed, but suddenly none of my Containers can run apt update anymore.

The error message: 0% [Connecting to klecker-ftp.debian.org (130.89.148.12)] [Connecting to prod.debian.map.fastly.net (151.101.12.204)]

I don't know what I've changed that it does not work anymore. Just for your information: yes I am able to ping th ip addresses in the error message.

 

[Stoiko Ivanov]

hmm - do you have a(ny) firewall enabled in the container, on the node or somewhere in the way to klecker-ftp.debian.org, prod.debian.map.fastly.net?

 

[Kyreus]

My setup is like this:
I have 1 external IP-Address and I have an internal network between my containers and i'm natting in between the main host and the containers. It worked all fine for days, but suddenly it stopped working and I don't know why...

auto vmbr1
iface vmbr1 inet static
        address  192.168.0.254
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
        post-up   iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.251:80
        post-down iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.251:80
        post-up   iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.0.251:443
        post-down iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.0.251:443
        post-up   iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
        post-down iptables -t nat -D PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.0.2:22
        post-up   iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT --to-destination 192.168.0.250:20
        post-down iptables -t nat -D PREROUTING -p tcp --dport 20 -j DNAT --to-destination 192.168.0.250:20
        post-up   iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.0.250:21
        post-down iptables -t nat -D PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.0.250:21
        post-up   iptables -t nat -A PREROUTING -p tcp --dport 40000:50000 -j DNAT --to-destination 192.168.0.250
        post-down iptables -t nat -D PREROUTING -p tcp --dport 40000:50000 -j DNAT --to-destination 192.168.0.250
#Internal Network

 

[Stoiko Ivanov]

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.251:80

hmm - not too sure but this could very well be the problem - apt usually contacts the mirrors via http - and this rule could sent the traffic to 192.168.0.251

please try removing the dnat rules and see if the problem goes away - if it does you need to make sure to only dnat packets arriving from the outside

hope this helps!

 

[Kyreus]

Would be interesting if this works, because I haven't touched this rules for days and until today it worked. But I'll try now

EDIT:
I just tried it and yeah, you were right... Interesting that it worked a few days, but actually i need to forward the ports 80 and 443 to a specific container. Is there a way I can still forward them?

EDIT:
Okay I already fixed it. I just had to tell iptables wich interface to forward. so a "-i vmbr0" was enough to get everything working again.

 

[Stoiko Ivanov]

glad you found the solution! happy proxmoxing!