Using NAT for container with private IPs

2006-07-03T13:04:14Z

M o d: change second -p to --dport

== How to provide access for VE to Internet ==

To enable the [[VE]]s, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility. To perform a simple SNAT setup, execute the following command on the [[Hardware Node]]:
<pre>
# iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address
</pre>

where <tt>src_net</tt> is a range of IP addresses of VEs to be translated by SNAT, and <tt>ip_address</tt> is the external IP address of your [[Hardware Node]]. Multiple rules are allowed, for example, in case you wish to specify several ranges of IP addresses. If you are using a number of physical network interfaces on the [[Hardware Node|Node]], you may need to specify a different interface for outgoing connections, e.g. <tt>-o eth2</tt>.

{{Note|If you are using stable (currently 2.6.8-based) kernel, then to enable SNAT for the VEs on your local network you need to explicitly enable connection tracking in [[VE0]].}}
Make sure that the following string is present in the <tt>/etc/modules.conf</tt> file:
<pre>
options ip_conntrack ip_conntrack_enable_ve0=1
</pre>

In case it is not, add this string to the file by means of any text editor (for example, vi). This setting is not needed for kernels more recent than 2.6.8, since connection tracking for [[VE0]] is enabled by default in those kernels.

To make all IP addresses to be translated by SNAT (not only the ones of [[VE]]s with private addresses), you should type the following string:
<pre>
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address
</pre>

== How to provide access from Internet to a VE ==

In addition, to make some services in VE with private IP address be accessible from the Internet, DNAT (Destination Network Address Translation) should be configured on the [[Hardware Node]]. To perform a simple DNAT setup, execute the following command on the [[Hardware Node]]:
<pre>
# iptables -t nat -A PREROUTING -p tcp -d ip_address --port port_num \
-i eth0 -j DNAT --to-destination ve_address:dst_port_num
</pre>

where <tt>ve_address</tt> is an IP address of the VE, <tt>dst_port_num</tt> is a tcp port which requires service use, <tt>ip_address</tt> is the external (public) IP address of your [[Hardware Node]], and <tt>port_num</tt> is a tcp port of [[Hardware Node]], which will be used for Internet connections to private VE service. Note that this setup makes the service which is using <tt>port_num</tt> on the [[Hardware Node]] be unaccessible from the Internet. Also note that SNAT translation is required too.

For example, if you need a web server in a VE to be accessible from outside and, at the same time, keep a web server on the [[Hardware Node]] be accessible, use the following config:
<pre>
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport 8080 \
-i eth0 -j DNAT --to-destination ve_address:80
# iptables -t nat -A POSTROUTING -s ve_address -o eth0 -j SNAT --to ip_address
</pre>

After applying this, you'll see VE' web server at <nowiki>http://ip_address:8080/</nowiki>.

The <tt>iptables</tt> utility allows to set up more complex rules for Network Address Translation, involving various protocols and ports. If you wish to get more information on this, consult the numerous Internet sites (e.g. [http://www.netfilter.org netfilter.org]) and tutorials devoted to this issue.

== External Links ==
* [http://www.netfilter.org netfilter.org]

[[Category: HOWTO]]
[[Category: Networking]]

OpenVZ Virtuozzo Containers Wiki - User contributions [en]

Using NAT for container with private IPs