</pre>
where <tt>src_net</tt> is a range of IP addresses of containers to be translated by SNAT, and <tt>ip_address</tt> is the external IP address of your [[Hardware Node]]. The format of src_net is xx.xx.xx.xx/xx ([[w:CIDR|CIDR notation]]). For example to specify IP addresses from 192.168.2.1 through 192.168.2.127 use:
<pre>
# iptables -t nat -A POSTROUTING -s 192.168.2.0/25 24 -o eth0 -j SNAT --to ip_address
</pre>
</pre>
{{Note|For a Debian O.S v4 or v5 Hardware Node, you may need to allow a forward rule. The table still being the default table (filter) but the chain is FORWARD :=== Firewall ===
<pre># /sbin/iptables -A FORWARD -s 172.16.150For Debian hardware node, you may need to allow a forward rule.0/24 -j ACCEPT# /sbin/iptables -A The table still being the default table (filter) but the chain is FORWARD -d 172.16.150.0/24 -j ACCEPT</pre>}}:
# iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
# iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT
If you are using an iptables firewall (for example the For default RedHat/CentOS firewall), don't forget to allow outgoing connections from your containers. For , for example if you are using the subnet 172.16.150.0/24 for your VMs, you should do the following:<pre># /sbin/iptables -A RH-Firewall-1-INPUT -s 172.16.150.0/24 -j ACCEPT# /sbin/iptables-save > /etc/sysconfig/iptables# /sbin/service iptables restart</pre>
{{Note|If the above is not working then check if one of the following solutions does the trick # iptables -A RH-Firewall-1-INPUT -s 192.}}1168. If you are using stable (currently 2.6.80/24 -j ACCEPT # iptables-based) kernel, then to enable SNAT for the containers on your local network you need to explicitly enable connection tracking in [[CT0]]. Make sure that the following string is present in the <ttsave >/etc/modprobe.conf<sysconfig/tt> file:<pre>iptablesoptions ip_conntrack ip_conntrack_enable_ve0=1</pre> # service iptables restart
{{Note|in kernels later than 2.6.8, connection tracking is enabled by default}}
In case it is not, add this string to the file by means of any text editor (for example, vi). This setting is not needed for kernels more recent than 2.6.8, since connection tracking for [[CT0]] is enabled by default in those kernels.=== Nameserver ===
2. For unknown reasons the above didn't work on a Debian hostMake sure in-CT nameserver is set. The solution is easiest way to do it in an init.d script as followsis:<pre>modprobe ip_conntrack ip_conntrack_enable_ve0=1</pre>Make sure that this module is loaded before any of the other iptables-modules are loaded! Also remember that if this module is loaded without the option, unloading and reloading doesn't work! You need to reboot the computer.
{{Note|in kernels later than 2.6.8, connection tracking is enabled by default}} # vzctl set $CTID --nameserver inherit
{{Note| you may need to modify the /etc/vz/vz.conf file to include:}} <pre>IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"</pre>== Test ===
Now you should be able to reach internet from yours [[your container]]:
<pre> # vzctl exec <container ID> $CTID ping www.openvz.org</pre>
== How to provide access from Internet to a container ==
