lxd容器只能访问主机无法访问局域网

发布于：2025-08-15 ⋅ 阅读:(19) ⋅ 点赞:(0)

问题

sudo snap install lxd
lxd init # 都使用默认值
lxc launch ubuntu:20.04 mytest

这样创建容器后，在容器中只能ping通主机IP，局域网其他机器ping不通。

原因

经过排查应该是iptables的配置有问题（可能是Docker引发的）

ubuntu@ubun:~$ sudo iptables -L -v -n
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 705 packets, 43116 bytes)
 pkts bytes target     prot opt in     out     source               destination
  705 43116 DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0
  705 43116 DOCKER-FORWARD  0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     6    --  !docker0 docker0  0.0.0.0/0            172.17.0.3           tcp dpt:8088
    0     0 ACCEPT     6    --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8094
    0     0 ACCEPT     6    --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:80
    0     0 DROP       0    --  !docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-BRIDGE (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-CT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
  705 43116 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0
  705 43116 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0
  705 43116 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  705 43116 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

解决

# 允许 lxdbr0 的流量转发到宿主机的网卡（enp96s0f1np1）
sudo iptables -A FORWARD -i lxdbr0 -o enp96s0f1np1 -j ACCEPT
sudo iptables -A FORWARD -i enp96s0f1np1 -o lxdbr0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# 确保 NAT 规则正确，允许 lxdbr0 的流量通过 MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.128.195.0/24 -o enp96s0f1np1 -j MASQUERADE

lxd容器只能访问主机无法访问局域网

问题

原因

解决

网站公告

今日签到

热门文章

最新发布