lxd-docker-firewall-conflictlisted

# LXD ↔ Docker firewall conflict (FORWARD DROP) When Docker and LXD share a host, **Docker sets the iptables `FORWARD` chain policy to `DROP`** and only ACCEPTs traffic for its own bridges. Forwarded packets from the LXD bridge (`lxdbr0`) match nothing and fall through to the DROP policy, so **LXD containers/VMs lose all outbound internet** — even though the host itself is fine and the LXD bridge has `ipv4.nat=true`. The fix is to ACCEPT the LXD bridge in Docker's `DOCKER-USER` chain and persist it. ⚠️ This is **not** a NAT, DNS, or LXD-config problem. The bridge's `ipv4.nat=true` and `net.ipv4.ip_forward=1` are already correct — packets are dropped at the `FORWARD` hook before NAT ever applies. Don't waste time reconfiguring the bridge, DNS, or `lxd init`. ## Quick start ```bash # Detects managed LXD bridges, adds DOCKER-USER ACCEPT rules, and installs a # systemd unit so they survive reboots + docker restarts. Idempotent; re-runnable. bash scripts/fix-lxd-docker-forward.sh ``` ## Symptoms - Inside an LXD container, `apt update` / `apt-get` / `curl` **times out** on IPv4 (`connection timed out`, `Failed to fetch`) and/or instantly says `Network is unreachable` on IPv6. - The **exact same request works on the host.** - A `packer-lxd` image build errors in its first shell provisioner at `apt update` → `Failed to fetch ... Could not connect ... connection timed out`. - It began right after **Docker was installed** on the LXD host (or after a Docker upgrade re-applied