Containers on Ubuntu denied WAN access due to default nft rule (docker)

[p3k]

Required information

• Distribution: Ubuntu
• Distribution version: 22.04.3 LTS
• The output of "lxc info" or if that fails:

  config:
    core.https_address: :8443
  api_extensions:
  - storage_zfs_remove_snapshots
  - container_host_shutdown_timeout
  - container_stop_priority
  - container_syscall_filtering
  - auth_pki
  - container_last_used_at
  - etag
  - patch
  - usb_devices
  - https_allowed_credentials
  - image_compression_algorithm
  - directory_manipulation
  - container_cpu_time
  - storage_zfs_use_refquota
  - storage_lvm_mount_options
  - network
  - profile_usedby
  - container_push
  - container_exec_recording
  - certificate_update
  - container_exec_signal_handling
  - gpu_devices
  - container_image_properties
  - migration_progress
  - id_map
  - network_firewall_filtering
  - network_routes
  - storage
  - file_delete
  - file_append
  - network_dhcp_expiry
  - storage_lvm_vg_rename
  - storage_lvm_thinpool_rename
  - network_vlan
  - image_create_aliases
  - container_stateless_copy
  - container_only_migration
  - storage_zfs_clone_copy
  - unix_device_rename
  - storage_lvm_use_thinpool
  - storage_rsync_bwlimit
  - network_vxlan_interface
  - storage_btrfs_mount_options
  - entity_description
  - image_force_refresh
  - storage_lvm_lv_resizing
  - id_map_base
  - file_symlinks
  - container_push_target
  - network_vlan_physical
  - storage_images_delete
  - container_edit_metadata
  - container_snapshot_stateful_migration
  - storage_driver_ceph
  - storage_ceph_user_name
  - resource_limits
  - storage_volatile_initial_source
  - storage_ceph_force_osd_reuse
  - storage_block_filesystem_btrfs
  - resources
  - kernel_limits
  - storage_api_volume_rename
  - macaroon_authentication
  - network_sriov
  - console
  - restrict_devlxd
  - migration_pre_copy
  - infiniband
  - maas_network
  - devlxd_events
  - proxy
  - network_dhcp_gateway
  - file_get_symlink
  - network_leases
  - unix_device_hotplug
  - storage_api_local_volume_handling
  - operation_description
  - clustering
  - event_lifecycle
  - storage_api_remote_volume_handling
  - nvidia_runtime
  - container_mount_propagation
  - container_backup
  - devlxd_images
  - container_local_cross_pool_handling
  - proxy_unix
  - proxy_udp
  - clustering_join
  - proxy_tcp_udp_multi_port_handling
  - network_state
  - proxy_unix_dac_properties
  - container_protection_delete
  - unix_priv_drop
  - pprof_http
  - proxy_haproxy_protocol
  - network_hwaddr
  - proxy_nat
  - network_nat_order
  - container_full
  - candid_authentication
  - backup_compression
  - candid_config
  - nvidia_runtime_config
  - storage_api_volume_snapshots
  - storage_unmapped
  - projects
  - candid_config_key
  - network_vxlan_ttl
  - container_incremental_copy
  - usb_optional_vendorid
  - snapshot_scheduling
  - snapshot_schedule_aliases
  - container_copy_project
  - clustering_server_address
  - clustering_image_replication
  - container_protection_shift
  - snapshot_expiry
  - container_backup_override_pool
  - snapshot_expiry_creation
  - network_leases_location
  - resources_cpu_socket
  - resources_gpu
  - resources_numa
  - kernel_features
  - id_map_current
  - event_location
  - storage_api_remote_volume_snapshots
  - network_nat_address
  - container_nic_routes
  - rbac
  - cluster_internal_copy
  - seccomp_notify
  - lxc_features
  - container_nic_ipvlan
  - network_vlan_sriov
  - storage_cephfs
  - container_nic_ipfilter
  - resources_v2
  - container_exec_user_group_cwd
  - container_syscall_intercept
  - container_disk_shift
  - storage_shifted
  - resources_infiniband
  - daemon_storage
  - instances
  - image_types
  - resources_disk_sata
  - clustering_roles
  - images_expiry
  - resources_network_firmware
  - backup_compression_algorithm
  - ceph_data_pool_name
  - container_syscall_intercept_mount
  - compression_squashfs
  - container_raw_mount
  - container_nic_routed
  - container_syscall_intercept_mount_fuse
  - container_disk_ceph
  - virtual-machines
  - image_profiles
  - clustering_architecture
  - resources_disk_id
  - storage_lvm_stripes
  - vm_boot_priority
  - unix_hotplug_devices
  - api_filtering
  - instance_nic_network
  - clustering_sizing
  - firewall_driver
  - projects_limits
  - container_syscall_intercept_hugetlbfs
  - limits_hugepages
  - container_nic_routed_gateway
  - projects_restrictions
  - custom_volume_snapshot_expiry
  - volume_snapshot_scheduling
  - trust_ca_certificates
  - snapshot_disk_usage
  - clustering_edit_roles
  - container_nic_routed_host_address
  - container_nic_ipvlan_gateway
  - resources_usb_pci
  - resources_cpu_threads_numa
  - resources_cpu_core_die
  - api_os
  - container_nic_routed_host_table
  - container_nic_ipvlan_host_table
  - container_nic_ipvlan_mode
  - resources_system
  - images_push_relay
  - network_dns_search
  - container_nic_routed_limits
  - instance_nic_bridged_vlan
  - network_state_bond_bridge
  - usedby_consistency
  - custom_block_volumes
  - clustering_failure_domains
  - resources_gpu_mdev
  - console_vga_type
  - projects_limits_disk
  - network_type_macvlan
  - network_type_sriov
  - container_syscall_intercept_bpf_devices
  - network_type_ovn
  - projects_networks
  - projects_networks_restricted_uplinks
  - custom_volume_backup
  - backup_override_name
  - storage_rsync_compression
  - network_type_physical
  - network_ovn_external_subnets
  - network_ovn_nat
  - network_ovn_external_routes_remove
  - tpm_device_type
  - storage_zfs_clone_copy_rebase
  - gpu_mdev
  - resources_pci_iommu
  - resources_network_usb
  - resources_disk_address
  - network_physical_ovn_ingress_mode
  - network_ovn_dhcp
  - network_physical_routes_anycast
  - projects_limits_instances
  - network_state_vlan
  - instance_nic_bridged_port_isolation
  - instance_bulk_state_change
  - network_gvrp
  - instance_pool_move
  - gpu_sriov
  - pci_device_type
  - storage_volume_state
  - network_acl
  - migration_stateful
  - disk_state_quota
  - storage_ceph_features
  - projects_compression
  - projects_images_remote_cache_expiry
  - certificate_project
  - network_ovn_acl
  - projects_images_auto_update
  - projects_restricted_cluster_target
  - images_default_architecture
  - network_ovn_acl_defaults
  - gpu_mig
  - project_usage
  - network_bridge_acl
  - warnings
  - projects_restricted_backups_and_snapshots
  - clustering_join_token
  - clustering_description
  - server_trusted_proxy
  - clustering_update_cert
  - storage_api_project
  - server_instance_driver_operational
  - server_supported_storage_drivers
  - event_lifecycle_requestor_address
  - resources_gpu_usb
  - clustering_evacuation
  - network_ovn_nat_address
  - network_bgp
  - network_forward
  - custom_volume_refresh
  - network_counters_errors_dropped
  - metrics
  - image_source_project
  - clustering_config
  - network_peer
  - linux_sysctl
  - network_dns
  - ovn_nic_acceleration
  - certificate_self_renewal
  - instance_project_move
  - storage_volume_project_move
  - cloud_init
  - network_dns_nat
  - database_leader
  - instance_all_projects
  - clustering_groups
  - ceph_rbd_du
  - instance_get_full
  - qemu_metrics
  - gpu_mig_uuid
  - event_project
  - clustering_evacuation_live
  - instance_allow_inconsistent_copy
  - network_state_ovn
  - storage_volume_api_filtering
  - image_restrictions
  - storage_zfs_export
  - network_dns_records
  - storage_zfs_reserve_space
  - network_acl_log
  - storage_zfs_blocksize
  - metrics_cpu_seconds
  - instance_snapshot_never
  - certificate_token
  - instance_nic_routed_neighbor_probe
  - event_hub
  - agent_nic_config
  - projects_restricted_intercept
  - metrics_authentication
  - images_target_project
  - cluster_migration_inconsistent_copy
  - cluster_ovn_chassis
  - container_syscall_intercept_sched_setscheduler
  - storage_lvm_thinpool_metadata_size
  - storage_volume_state_total
  - instance_file_head
  - instances_nic_host_name
  - image_copy_profile
  - container_syscall_intercept_sysinfo
  - clustering_evacuation_mode
  - resources_pci_vpd
  - qemu_raw_conf
  - storage_cephfs_fscache
  - network_load_balancer
  - vsock_api
  - instance_ready_state
  - network_bgp_holdtime
  - storage_volumes_all_projects
  - metrics_memory_oom_total
  - storage_buckets
  - storage_buckets_create_credentials
  - metrics_cpu_effective_total
  - projects_networks_restricted_access
  - storage_buckets_local
  - loki
  - acme
  - internal_metrics
  - cluster_join_token_expiry
  - remote_token_expiry
  - init_preseed
  - storage_volumes_created_at
  - cpu_hotplug
  - projects_networks_zones
  - network_txqueuelen
  - cluster_member_state
  - instances_placement_scriptlet
  - storage_pool_source_wipe
  - zfs_block_mode
  - instance_generation_id
  - disk_io_cache
  - amd_sev
  - storage_pool_loop_resize
  - migration_vm_live
  - ovn_nic_nesting
  - oidc
  - network_ovn_l3only
  - ovn_nic_acceleration_vdpa
  - cluster_healing
  - instances_state_total
  - auth_user
  - security_csm
  - instances_rebuild
  - numa_cpu_placement
  - custom_volume_iso
  - network_allocations
  - storage_api_remote_volume_snapshot_copy
  - zfs_delegate
  - operations_get_query_all_projects
  - metadata_configuration
  - syslog_socket
  - event_lifecycle_name_and_project
  - instances_nic_limits_priority
  - disk_initial_volume_configuration
  - operation_wait
  api_status: stable
  api_version: "1.0"
  auth: trusted
  public: false
  auth_methods:
  - tls
  auth_user_name: tobi
  auth_user_method: unix
  environment:
    addresses:
    - 192.168.8.106:8443
    - 172.17.0.1:8443
    - 172.18.0.1:8443
    - 10.218.181.1:8443
    - 10.0.3.1:8443
    architectures:
    - x86_64
    - i686
    certificate: |
      -----BEGIN CERTIFICATE-----
      MIICADCCAYegAwIBAgIRAO+C0oKs4RKGFJWBQAP9W5swCgYIKoZIzj0EAwMwMzEc
      MBoGA1UEChMTbGludXhjb250YWluZXJzLm9yZzETMBEGA1UEAwwKcm9vdEBudWNr
      ZTAeFw0yMjA4MTAxNDQ1MDJaFw0zMjA4MDcxNDQ1MDJaMDMxHDAaBgNVBAoTE2xp
      bnV4Y29udGFpbmVycy5vcmcxEzARBgNVBAMMCnJvb3RAbnVja2UwdjAQBgcqhkjO
      PQIBBgUrgQQAIgNiAAQDv1YHq1MlOtm1VpN3o5xmcUkTGE7RjxFtHNabjOAIwvek
      tJVdDmZo4dNiCcoU3oiInr1wqAlDcVQ9eft/OD919qObtToXwzEs8zLwiLhiUey+
      JKkfj5nNMOa6SFlqFUejXzBdMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
      BgEFBQcDATAMBgNVHRMBAf8EAjAAMCgGA1UdEQQhMB+CBW51Y2tlhwR/AAABhxAA
      AAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMDA2cAMGQCMEoC4xWKEYAkkLetCDpO
      MplZqeNGxb3VTMfr5L0GnZoy1LEBzK6AutyMXwPr4VGfMQIwWFAjjz+EJ8TvGx0e
      5MrrRYgEMpmRSLSwFHOfXTgLcB5d5L4nS8jgWblY9Np5ih9t
      -----END CERTIFICATE-----
    certificate_fingerprint: 622e4a47f325d3f7409bc436ac3a918b6b5bb358a3799e9bafce9de7387bc4d4
    driver: qemu | lxc
    driver_version: 8.1.1 | 5.0.3
    firewall: nftables
    kernel: Linux
    kernel_architecture: x86_64
    kernel_features:
      idmapped_mounts: "true"
      netnsid_getifaddrs: "true"
      seccomp_listener: "true"
      seccomp_listener_continue: "true"
      shiftfs: "false"
      uevent_injection: "true"
      unpriv_fscaps: "true"
    kernel_version: 6.5.0-14-generic
    lxc_features:
      cgroup2: "true"
      core_scheduling: "true"
      devpts_fd: "true"
      idmapped_mounts_v2: "true"
      mount_injection_file: "true"
      network_gateway_device_route: "true"
      network_ipvlan: "true"
      network_l2proxy: "true"
      network_phys_macvlan_mtu: "true"
      network_veth_router: "true"
      pidfd: "true"
      seccomp_allow_deny_syntax: "true"
      seccomp_notify: "true"
      seccomp_proxy_send_notify_fd: "true"
    os_name: Ubuntu
    os_version: "22.04"
    project: default
    server: lxd
    server_clustered: false
    server_event_mode: full-mesh
    server_name: nucke
    server_pid: 3413222
    server_version: "5.19"
    storage: zfs
    storage_version: 2.2.0-0ubuntu1~23.10
    storage_supported_drivers:
    - name: dir
      version: "1"
      remote: false
    - name: lvm
      version: 2.03.11(2) (2021-01-08) / 1.02.175 (2021-01-08) / 4.48.0
      remote: false
    - name: zfs
      version: 2.2.0-0ubuntu1~23.10
      remote: false
    - name: btrfs
      version: 5.16.2
      remote: false
    - name: ceph
      version: 17.2.6
      remote: true
    - name: cephfs
      version: 17.2.6
      remote: true
    - name: cephobject
      version: 17.2.6
      remote: true

Issue description

Container gets IP, can resolve hostname, but cannot ping anything outside the local network.

1. Create container
   2. Shell into container
   3. Ping a server like 1.1.1.1

Potential Fix

Found via a posting on discuss.linuxcontainers.org:

$ sudo nft add 'chain ip filter FORWARD { policy accept; }'

It begs the questions why this rule exists, when it was added (network access was possible before), and whether LXC or Ubuntu should handle this…

Moreover, the information about this nft rule was not easy to find, so maybe it could be added to the LXC guide?

[tomponline]

Does this page from our docs help?

https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/

[p3k]

Does this page from our docs help?

https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/

Thanks for the pointer, but not really, no. I was using UFW before but that is disabled on the machine. I had no knowledge of a different firewall running on the system. So all the sections about xtables and nftables would not mean anything, because I would assume there is no firewall running – i.e. the page does not apply to the issue. (I checked both, UFW and iptables, btw. – no rules at all.)

It would be helpful to get some example commands to find out if a firewall interferes, and then what to do about it. Even more helpful: if I would not have to think about a firewall that I did not even install or configure myself – and which seems to be a (new?) default in Ubuntu.

Both, LXD and Ubuntu, are maintained by Canonical – shouldn‘t this allow a smoother user experience?

[tomponline]

Please can you show reproducer steps, along with the output of sudo nft list ruleset and sudo iptables-save.

At this stage it not clear what the issue you are experiencing is.

[p3k]

Please can you show reproducer steps, along with the output of sudo nft list ruleset and sudo iptables-save.

At this stage it not clear what the issue you are experiencing is.

The issue: no connection to the WAN / Internet from any of the containers.

The culprit in sudo nft list ruleset:

table inet filter {
        chain forward {
                type filter hook forward priority filter; policy drop;
        }
        …
}

I did not add this rule, nor did I enable or install nftables.

Update: Copy&pasted the wrong rule – now corrected.

[tomponline]

I did not add this rule, nor did I enable or install nftables.

What does sudo iptables-save show?

Please can we see the full output of sudo nft list ruleset too thanks

[p3k]

What does sudo iptables-save show?

# Generated by iptables-save v1.8.7 on Fri Feb  2 17:10:03 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [381403:534275826]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-f85f785e09c9 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-f85f785e09c9 -j DOCKER
-A FORWARD -i br-f85f785e09c9 ! -o br-f85f785e09c9 -j ACCEPT
-A FORWARD -i br-f85f785e09c9 -o br-f85f785e09c9 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-f85f785e09c9 ! -o br-f85f785e09c9 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-f85f785e09c9 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Feb  2 17:10:03 2024
# Generated by iptables-save v1.8.7 on Fri Feb  2 17:10:03 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-f85f785e09c9 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-f85f785e09c9 -j RETURN
COMMIT
# Completed on Fri Feb  2 17:10:03 2024

Please can we see the full output of sudo nft list ruleset too thanks

table ip filter {
    chain DOCKER {
    }

    chain DOCKER-ISOLATION-STAGE-1 {
        iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
        iifname "br-f85f785e09c9" oifname != "br-f85f785e09c9" counter packets 636899 bytes 781772913 jump DOCKER-ISOLATION-STAGE-2
        counter packets 1840334 bytes 2127339670 return
    }

    chain FORWARD {
        type filter hook forward priority filter; policy accept;
        counter packets 1840334 bytes 2127339670 jump DOCKER-USER
        counter packets 1840334 bytes 2127339670 jump DOCKER-ISOLATION-STAGE-1
        oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
        oifname "docker0" counter packets 0 bytes 0 jump DOCKER
        iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
        iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
        oifname "br-f85f785e09c9" ct state related,established counter packets 853493 bytes 844759234 accept
        oifname "br-f85f785e09c9" counter packets 235 bytes 14100 jump DOCKER
        iifname "br-f85f785e09c9" oifname != "br-f85f785e09c9" counter packets 662181 bytes 786601931 accept
        iifname "br-f85f785e09c9" oifname "br-f85f785e09c9" counter packets 200 bytes 12000 accept
    }

    chain DOCKER-USER {
        counter packets 1963424 bytes 2227293050 return
    }

    chain INPUT {
        type filter hook input priority filter; policy accept;
    }

    chain DOCKER-ISOLATION-STAGE-2 {
        oifname "docker0" counter packets 0 bytes 0 drop
        oifname "br-f85f785e09c9" counter packets 0 bytes 0 drop
        counter packets 636899 bytes 781772913 return
    }
}
table ip nat {
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 542 bytes 32988 masquerade 
        oifname != "br-f85f785e09c9" ip saddr 172.18.0.0/16 counter packets 3799 bytes 230548 masquerade 
    }

    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        fib daddr type local counter packets 3963 bytes 1925920 jump DOCKER
    }

    chain OUTPUT {
        type nat hook output priority -100; policy accept;
        ip daddr != 127.0.0.0/8 fib daddr type local counter packets 1325 bytes 81878 jump DOCKER
    }

    chain DOCKER {
        iifname "docker0" counter packets 0 bytes 0 return
        iifname "br-f85f785e09c9" counter packets 0 bytes 0 return
    }
}
table ip6 filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
    }

    chain FORWARD {
        type filter hook forward priority filter; policy accept;
    }
}
table ip6 nat {
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
    }
}
table inet lxd {
    chain pstrt.lxdbr0 {
        type nat hook postrouting priority srcnat; policy accept;
        ip saddr 10.218.181.0/24 ip daddr != 10.218.181.0/24 masquerade
    }

    chain fwd.lxdbr0 {
        type filter hook forward priority filter; policy accept;
        ip version 4 oifname "lxdbr0" accept
        ip version 4 iifname "lxdbr0" accept
    }

    chain in.lxdbr0 {
        type filter hook input priority filter; policy accept;
        iifname "lxdbr0" tcp dport 53 accept
        iifname "lxdbr0" udp dport 53 accept
        iifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
        iifname "lxdbr0" udp dport 67 accept
    }

    chain out.lxdbr0 {
        type filter hook output priority filter; policy accept;
        oifname "lxdbr0" tcp sport 53 accept
        oifname "lxdbr0" udp sport 53 accept
        oifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
        oifname "lxdbr0" udp sport 67 accept
    }
}
table inet lxc {
    chain input {
        type filter hook input priority filter; policy accept;
        iifname "lxcbr0" udp dport { 53, 67 } accept
        iifname "lxcbr0" tcp dport { 53, 67 } accept
    }

    chain forward {
        type filter hook forward priority filter; policy accept;
        iifname "lxcbr0" accept
        oifname "lxcbr0" accept
    }
}
table ip lxc {
    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        ip saddr 10.0.3.0/24 ip daddr != 10.0.3.0/24 counter packets 19 bytes 2548 masquerade
    }
}

[tomponline]

You have docker installed, please see the section i linked to above:

https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker

[p3k]

Ah so it is Docker meddling with the connection of the LXC containers!?

So I am working through the suggestions of the document:

There are different ways of working around this problem:

• Uninstall Docker

Not an option.

• Enable IPv4 forwarding

I had net.ipv4.conf.all.forwarding set to 1 the whole time:

$ sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 1

Shouldn’t it work then without changing the nft rule policy? (I restarted Docker even though the setting must have been already enabeld for multiple restarts.)

• Allow egress network traffic flows

Applying these commands indeed make the connection work:

$ sudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT
$ sudo iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

🎉

Thanks for bearing with me! Two remaining questions:

1. Is the suggested sysctl solution only working in some circumstances?
2. Are the iptables commands better than the nft command I used?

[tomponline]

I had net.ipv4.conf.all.forwarding set to 1 the whole time:

LXD will enable it when it starts, however that may be too late if Docker has already started, and if it doesn't detect its enabled it will then start adding the firewall rules that drop forwarded packets.

The linked document suggests how to make it persistent across reboots so its set before Docker starts:

You must make this setting persistent across host reboots. One way of doing this is to add a file to the /etc/sysctl.d/ directory using the following commands:

echo "net.ipv4.conf.all.forwarding=1" > /etc/sysctl.d/99-forwarding.conf`
systemctl restart systemd-sysctl

In most modern systems the iptables command is actually just writing to nftables ruleset, so if you see the result of your iptables command appearing in nft list ruleset you can equally use the nft command to modify the same ruleset.