Turris Data Collection blocks ports from LXC Containers

Hello! I’m running a NAS-Server (FTP, Samba, Webmin / Ubuntu 16.04) inside a LXC-Container. If I join the “Turris Data Collection Project” the FTP-Server & Webmin inside the LXC-Container gets unreachable. I would like to participate to the project – is it possible to run both? I’m not a iptables master :slight_smile:

Thanks!

How is your container connected to the network? Is it unreachable from LAN, WAN or both?

Generally, data collection should not block anything.

Hello

This should not happen and if it is really caused by the data collection, it is a bug and we would like to identify it.

Do you have any info that could pinpoint where it is hidden? In which way it is unreachable? Does it say „No such host“, or does it timeout? Can you install the programs one by one (eg, ucollect-meta first, check if it causes the problem or not, nikola next)? Can you send us your iptables configuration (iptables-save output) when it works and when it doesn’t? If you don’t want to show it to others, you can for example email it to me (michal.vaner@nic.cz).

Thanks for your answers! The LXC-Container is only used inside the LAN. After enabling the data collection, the LXC-Server is still pingable and the samba-shares working properly. But connecting with FTP fails.

Before enabling data collection:

After:

iptables output with data collection disabled: iptables with data collection - Pastebin.com
iptables output with data collection enabled: iptables with data collection - Pastebin.com

Thanks for the info. I don’t see anything in it right away, I’ll be looking through it in a more detail soon. I created a bug for it (https://gitlab.labs.nic.cz/turris/common/issues/38). If you discover anything, I’ll be glad.

It looks like i’ve discovered the problem – and it was my fault, sorry! I completely forgot about an old device from pre-turris-times in my network, running with the same ip-adress as the lxc-container. For reasons i don’t know, it worked if data collection was disabled – but if enabled, the old device got the ftp request (tried it several times before writing in the forum)