I tried to reproduce this in an up-to-date bionic VM as follows: # inside the bionic VM sudo snap install lxd sudo lxd init # accept defauls sudo lxc launch ubuntu-daily:hirsute hirsute sudo lxc exec hirsute /bin/bash
# then inside the hirsute container install livecd-rootfs apt update apt install livecd-rootfs # http works as expected with no changes wget -q www.google.com -O/dev/null && echo Working || echo Failed Working # works as expected with no iptables rule # add iptables rule manually iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \ -j REDIRECT --to 8080 # now we expect it to fail as there is no magic-proxy running yet wget -q www.google.com -O/dev/null && echo Working || echo Failed Failed # start the magic-proxy manually /usr/share/livecd-rootfs/magic-proxy \ --address="127.0.0.1" \ --port=8080 \ --run-as=daemon \ --cutoff-time=0 \ --log-file=livecd.magic-proxy.log \ --pid-file=magic-proxy.pid \ --background \ --setsid # wget works as expected via the proxy wget -q www.google.com -O/dev/null && echo Working || echo Failed Working # kill the proxy killall magic-proxy # fails again wget -q www.google.com -O/dev/null && echo Working || echo Failed Failed # remove iptables rule iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \ -j REDIRECT --to 8080 # works as normal wget -q www.google.com -O/dev/null && echo Working || echo Failed Working -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1917920 Title: magic-proxy broke with iptables 1.8.7-1ubuntu2 Status in Launchpad itself: New Status in iptables package in Ubuntu: New Status in livecd-rootfs package in Ubuntu: New Status in lxd package in Ubuntu: New Bug description: when iptables got upgraded from 1.8.5-3ubuntu4 to 1.8.7-1ubuntu2 magic proxy stopped working in livecd-rootfs. It does very simple thing: iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080 inside hirsute lxd container, with quite high privileges, in a bionic VM, running 4.15 kernel. With 1.8.5 above worked fine, with 1.8.7 somehow there was no outbound connectivity the very first http networking command after the above call would just hang indefinitely. However, if one does this instead: iptables -vv -t nat -S iptables-legacy -vv -t nat -S iptables -vv -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080 somehow magically everything starts to work fine. weird. To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1917920/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp