> On 09/01/2017 07:02 PM, Benjamin Asbach wrote: Hi there,
> I've some problems with connecting to my containers via my public domain from 
> the host itself. I'm using bridged network by lxc network. The setup looks 
> like this
> remote -> domain.com -> host -> container1 (nginx) -> container2 (app)
> When I curl from a remote location this works quite fine:
> curl https://sub.domain.com
> <html></html>%
> But when I'm doing the same from the host itself:
> curl https://sub.domain.com
> curl: (7) Failed to connect to sub.domain.com port 443: Connection refused
> I'm a little bit confused why this happens. I though it might be connected to 
> iptables. But the rules look good for me:
> iptables-save
> # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017
> *nat
> :PREROUTING ACCEPT [138088:14417714]
> :INPUT ACCEPT [51357:4468554]
> :OUTPUT ACCEPT [8593:788743]
> :POSTROUTING ACCEPT [8445:711271]
> -A PREROUTING -i ens18 -p tcp -m tcp --dport 80 -j DNAT --to-destination 
> -A PREROUTING -i ens18 -p tcp -m tcp --dport 443 -j DNAT --to-destination 
> -A PREROUTING -i ens18 -p tcp -m tcp --dport 8022 -j DNAT --to-destination 
> -A POSTROUTING -s ! -d -m comment --comment 
> "generated for LXD network lxdbr0" -j MASQUERADE
> # Completed on Sat Sep 2 02:24:33 2017
> # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017
> *mangle
> :PREROUTING ACCEPT [293993:48599155]
> :INPUT ACCEPT [188065:31562883]
> :FORWARD ACCEPT [19475:7104838]
> :OUTPUT ACCEPT [124159:16994042]
> :POSTROUTING ACCEPT [147110:24355452]
> -A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment 
> "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill
> # Completed on Sat Sep 2 02:24:33 2017
> # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017
> *filter
> :INPUT ACCEPT [449:65419]
> :OUTPUT ACCEPT [274:37570]
> -A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment "generated 
> for LXD network lxdbr0" -j ACCEPT
> -A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment "generated 
> for LXD network lxdbr0" -j ACCEPT
> -A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment "generated 
> for LXD network lxdbr0" -j ACCEPT
> -A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network lxdbr0" 
> -A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network lxdbr0" 
> -A OUTPUT -o lxdbr0 -p tcp -m tcp --sport 53 -m comment --comment "generated 
> for LXD network lxdbr0" -j ACCEPT
> -A OUTPUT -o lxdbr0 -p udp -m udp --sport 53 -m comment --comment "generated 
> for LXD network lxdbr0" -j ACCEPT
> -A OUTPUT -o lxdbr0 -p udp -m udp --sport 67 -m comment --comment "generated 
> for LXD network lxdbr0" -j ACCEPT
> # Completed on Sat Sep 2 02:24:33 2017
> Might be the issue related to the bridged network or do you've any ideas 
> what's causing the problem?!

Hi Benjamin, I'll give this a stab.

Does the host have an address on the bridge?  To test, give it one. 
If it works make sure to add iptables rules so the host only accepts
EST,REL traffic from the bridge guests (barbarians at the gates, etc).

If you don't want the host to have a bridge address you'll have to set
up some other method such as NAT like you did for traffic coming in on

Good luck,
Mike Wright 
Hi Mike,

thanks for your reply! I checked that the adapter has an address: 

ip addr
2: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
    link/ether fe:06:96:f6:16:da brd ff:ff:ff:ff:ff:ff
    inet scope global lxdbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::5c98:e8ff:fe13:66e3/64 scope link 
       valid_lft forever preferred_lft forever

I tried to get some information what you've meant. But currently I'm a
little bit confused howto apply these ESTABLISHED and RELATED rules to
iptables. Do you mind if you can get a litte bit more detail in that? 


