Container - Destination Port Unreachable

[floh79]

Hello I setup the third proxmox-machine. There I have network issues.

I doublechecked everything, but still didn't find my mistake yet. I'm sure it's just a little thing to fix.

On Container:

floh@container01:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Destination Port Unreachable

floh@container01:~$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.10.10.50/24 brd 10.10.10.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::xxxx:xxxx:xxxx:8ba7/64 scope link
       valid_lft forever preferred_lft forever

On Host:

floh@node02:~$ cat /etc/iptables.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 8006 -j ACCEPT
-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 8006 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 15022 -j ACCEPT
-A INPUT -p udp -i vmbr0 --dport 53 -j ACCEPT
-A INPUT -p tcp -i vmbr0 --dport 53 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 6
-A INPUT -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [46:4305]
:INPUT ACCEPT [19:2721]
:OUTPUT ACCEPT [26:1560]
:POSTROUTING ACCEPT [26:1560]
COMMIT

floh@katana02:~$ cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address xxx.xxx.xxx.xxx/24
    gateway xxx.xxx.xxx.1
    dns-search samurait.de
    dns-nameservers xxx.xxx.xxx.xxx

    pre-up iptables-restore < /etc/iptables.rules

iface eth0 inet6 static
    address xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0001/64
    gateway fe80::1

auto vmbr0
iface vmbr0 inet static
    address 10.10.10.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

    pre-up ip6tables-restore < /etc/ip6tables.rules

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up        iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
    post-down    iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

root@katana02:~# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 810 packets, 164K bytes)
pkts bytes target     prot opt in     out     source               destination       

Chain INPUT (policy ACCEPT 162 packets, 9531 bytes)
pkts bytes target     prot opt in     out     source               destination       

Chain OUTPUT (policy ACCEPT 200 packets, 13453 bytes)
pkts bytes target     prot opt in     out     source               destination       

Chain POSTROUTING (policy ACCEPT 200 packets, 13453 bytes)
pkts bytes target     prot opt in     out     source               destination       
    0     0 MASQUERADE  all  --  any    eth0    10.10.10.0/24        anywhere

floh@node02:~$ cat /proc/sys/net/ipv4/ip_forward
1

• From outside I'm able to access to that container, by using proxy pass with nginx on host as intented.
• host and container can ping each other.
• I can access container by ssh from host.

Do you see what I'm not seeing? If you need further information, let me know please which ones I should provide?

Best regards
Floh

 

[wolfgang]

Hi,

ICMP packages are not processed by MASQUERADE.

 

[floh79]

Hello it's me again. I still have the issue. In the meanwhile I found out if I comment out the line 'pre-up iptables-restore < /etc/iptables.rules' the container are able to connect to internet. So why? Somewhat must be wrong with iptables.

@wolfgang: I dunno what you mean, on other machine I can ping so its processed by MASQUERADE. I also tried different things like wget, apt update, etc. it always says "Network is unreachable" no matter what.

UPDATE: Now it works. I dunno why I oversaw the one line '-A FORWARD -j REJECT --reject-with icmp-port-unreachable' it was commented out but dunno why it's not commented out anymore. I removed the line now I can ping. *sigh* But this shouldn't affect the other connections like wget, apt update... but to be honest: I dunno anymore what I changed since my post is one year old so I don't remember exactly what I've tried one year ago.

Sorry for bothering you.

Best regards
Floh