I have some LXC hosted on a Proxmox server. They are all connected to the same network (10.0.0.0/24) and are supposed to go out to the Internet through the proxmox host (10.0.0.254 & WAN IP)
This is the proxmox firewall configuration :
iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A POSTROUTING -s 10.0.0.0/24 -o vmbr0 -j MASQUERADE
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
I have two different networks connected to the host (10.0.0.0/24 & 20.0.0.0/24) and they can communicate correctly since ip forwarding is enabled.
net.ipv4.ip_forward=1
When I send a ping from a LAN station to the internet, only the first one seems to go through and not the others.
iptables -vL -t nat ns359014: Sat Jun 26 11:45:18 2021
Chain PREROUTING (policy ACCEPT 363 packets, 15858 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 116 packets, 5978 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 163 packets, 10679 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 163 packets, 10679 bytes)
pkts bytes target prot opt in out source destination
1 84 MASQUERADE all -- any vmbr0 10.0.0.0/24 anywhere
Chain DOCKER (0 references)
pkts bytes target prot opt in out source destination
I captured a .pcap and it seems that the first request did go through, came back but the firewal didn't forward it back into the LAN.
ICMP PCAP
This was working few days ago until I pushed some updates and reboot the firewall.
I spent the past couple days trying a lot of things and i'm running out of ideas righ now ^^
Any help would be appreciated.
EDIT : It seems that Docker was responsible for this issue, a clean new install of it resolved my problem.
