OpenVZ Virtuozzo Containers Wiki - User contributions [en]

Using NAT for container with private IPs

2009-01-07T00:17:09Z

TiGRETON:

Usually you supply public IP addresses to your containers. Sometimes you don't want to do it (lack of IPs, etc.). This article describes how to use private IP addresses for containers.

== Prerequisites ==

=== IP forwarding ===
IP forwarding should be turned on, on the hardware node in order for container networking to work. Make sure it is turned on:

$ cat /proc/sys/net/ipv4/ip_forward
1

Output should be '1'. If it is '0', enable IP forwarding as it is described in [[Quick installation#sysctl]].

NOTE: '''Ubuntu''' made some changes to the syntax for NAT. See this link if you are needing to enable NAT on an Ubuntu host :

[https://bugs.launchpad.net/ubuntu/+source/procps/+bug/84537 Launchpad]

The syntax of /etc/sysctl.conf has changed to :

<pre>net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1</pre>

=== IP conntracks ===
IP connection tracking should be enabled for CT0.

'''For OpenVZ kernels 2.6.8''', put the following line into /etc/modprobe.conf:

modprobe ip_conntrack ip_conntrack_enable_ve0=1

and reboot.

'''For OpenVZ kernels later than 2.6.8''', connection tracking for CT0 is enabled by default. '''However''', make sure there is '''no''' line like

options ip_conntrack ip_conntrack_disable_ve0=1

in /etc/modules.conf or /etc/modprobe.conf. If there is such line, comment it out (or remove) and reboot.

== How to provide access for container to Internet ==

To enable the [[container]]s, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility. To perform a simple SNAT setup, execute the following command on the [[Hardware Node]]:
<pre>
# iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address
</pre>

where <tt>src_net</tt> is a range of IP addresses of containers to be translated by SNAT, and <tt>ip_address</tt> is the external IP address of your [[Hardware Node]]. The format of src_net is xx.xx.xx.xx/xx. For example to specify IP addresses from 192.168.2.12 through 192.168.2.25 use:
<pre>
# iptables -t nat -A POSTROUTING -s 192.168.2.12/25 -o eth0 -j SNAT --to ip_address
</pre>

Multiple rules are allowed, for example, in case you wish to specify several ranges of IP addresses. If you are using a number of physical network interfaces on the [[Hardware Node|Node]], you may need to specify a different interface for outgoing connections, e.g. <tt>-o eth2</tt>.

To make all IP addresses to be translated by SNAT (not only the ones of [[container]]s with private addresses), you should type the following string:
<pre>
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address
</pre>

If you are using an iptables firewall (for example the default RedHat/CentOS firewall), don't forget to allow outgoing connections from your containers. For example if you are using the subnet 172.16.150.0/24 for your VMs, you should do the following:
<pre>
# /sbin/iptables -A RH-Firewall-1-INPUT -s 172.16.149.0/24 -j ACCEPT
# /sbin/iptables-save > /etc/sysconfig/iptables
# /sbin/service iptables restart
</pre>

{{Note|If the above is not working then check if one of the following solutions does the trick.}}
1. If you are using stable (currently 2.6.8-based) kernel, then to enable SNAT for the containers on your local network you need to explicitly enable connection tracking in [[CT0]]. Make sure that the following string is present in the <tt>/etc/modprobe.conf</tt> file:
<pre>
options ip_conntrack ip_conntrack_enable_ve0=1
</pre>

{{Note|in kernels later than 2.6.8, connection tracking is enabled by default}}

In case it is not, add this string to the file by means of any text editor (for example, vi). This setting is not needed for kernels more recent than 2.6.8, since connection tracking for [[CT0]] is enabled by default in those kernels.

2. For unknown reasons the above didn't work on a Debian host. The solution is to do it in an init.d script as follows:
<pre>
modprobe ip_conntrack ip_conntrack_enable_ve0=1
</pre>
Make sure that this module is loaded before any of the other iptables-modules are loaded! Also remember that if this module is loaded without the option, unloading and reloading doesn't work! You need to reboot the computer.

{{Note|in kernels later than 2.6.8, connection tracking is enabled by default}}

{{Note| you may need to modify the /etc/vz/vz.conf file to include:}}
<pre>
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"
</pre>

== How to provide access from Internet to a container ==

In addition, to make some services in container with private IP address be accessible from the Internet, DNAT (Destination Network Address Translation) should be configured on the [[Hardware Node]]. To perform a simple DNAT setup, execute the following command on the [[Hardware Node]]:
<pre>
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport port_num \
-i eth0 -j DNAT --to-destination ve_address:dst_port_num
</pre>

where <tt>ve_address</tt> is an IP address of the container, <tt>dst_port_num</tt> is a tcp port which requires service use, <tt>ip_address</tt> is the external (public) IP address of your [[Hardware Node]], and <tt>port_num</tt> is a tcp port of [[Hardware Node]], which will be used for Internet connections to private container service. Note that this setup makes the service which is using <tt>port_num</tt> on the [[Hardware Node]] be unaccessible from the Internet. Also note that SNAT translation is required too.

For example, if you need a web server in a container to be accessible from outside and, at the same time, keep a web server on the [[Hardware Node]] be accessible, use the following config:
<pre>
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport 8080 \
-i eth0 -j DNAT --to-destination ve_address:80
# iptables -t nat -A POSTROUTING -s ve_address -o eth0 -j SNAT --to ip_address
</pre>

After applying this, you'll see container' web server at <code><nowiki>http://ip_address:8080/</nowiki></code>.

{{Note|this rule will only work for external clients, i.e. connections originating from a different host — so you can not test if it works locally.}}

{{Note|If you get any errors relating to:
<code>iptables: No chain/target/match by that name</code>
double check to see if you have all the iptables/netfilter modules loaded properly. I had to <code> modprobe xt_tcpudp </code> before getting it to work.}}

The <tt>iptables</tt> utility allows to set up more complex rules for Network Address Translation, involving various protocols and ports. If you wish to get more information on this, consult the numerous Internet sites (e.g. [http://www.netfilter.org netfilter.org]) and tutorials devoted to this issue.

== External Links ==
* [http://www.netfilter.org netfilter.org]
* [[w:Private network]]

[[Category: HOWTO]]
[[Category: Networking]]

User:TiGRETON

2008-12-29T19:19:02Z

TiGRETON:

[[Image:K_pingu.jpg|Iván|top]]Hi, my name is Iván and I'm a prospective user and system administrator of OpenVZ. Thanks for stopping by :)

User:TiGRETON

2008-12-29T19:18:41Z

TiGRETON: New page: topHi, my name is Iván and I'm a prospective user and system administrator of OpenVZ.

[[Image:K_pingu.jpg|Iván|top]]Hi, my name is Iván and I'm a prospective user and system administrator of OpenVZ.

File:K pingu.jpg

2008-12-29T19:14:28Z

TiGRETON:

Hosting providers

2008-12-29T19:11:05Z

TiGRETON: Removed iguanahosting.com from Spain category as it's located in Venezuela

OpenVZ makes for a great hosting platform for VPS hosting. The providers below offer VPS services using OpenVZ.

== Austria ==

* [https://www.vboxes.net/ vboxes] vboxes offers generous OpenVZ containers hosted on a very fast network with fast setup. Ubuntu, Debian, CentOS.

== Canada ==

* [http://www.vistapages.com/vps Vistapages VPS] - IBM & Dell Hardware. MCI/Verizon Backbone. Distros: Centos, Fedora, Debian & more. Full management available. Located in Toronto.
* [http://vpsville.ca/ VPSVille] - Good network. Good CPU. Good choice of distros: Centos, Fedora, Debian, Ubuntu, Slackware, Gentoo, OpenSUSE, CERN. My favorite OpenVZ provider. [mailto:jak@isp2dial.com John Kelly]
* [http://compevo.com compevo Clustered VPS Server Hosting Provider] - We offer clustered VPS Servers to avoid downtime and dataloss. Our network and service is second to none and is used by businesses around the world.

== Iran==

* [http://www.cheapvps.ir Cheap Vps] - XEON Cpus , 8 gig Ram , western H.d.d. , Intel RAID and Multi data center network.

== Lithuania ==

* [http://www.serveriai.lt/ Serveriai.lt] - Affordable OpenVZ containers on quality HP hardware. Wide choice of virtual dedicated servers up to 8 CPU cores and 8 GB RAM. Full management available. Located in Vilnius.

== Malaysia ==

* [http://www.bakka.us/ Bakka Hosting] - OpenVZ VPS based in Malaysia. Ubuntu, Debian, Fedora, CentOS is available. Quad Core Xeon node. DirectAdmin also available.

== Netherlands ==

* [http://www.signet.nl/ Signet VPS Hosting] - Signet delivers VPS hosting plans based on CentOS or Debian templates, including control-panel Virtualmin.
* [http://www.touchvps.com/ TouchVPS] is a company who offer Support and Managed Services for OpenVZ Servers ,also offer templates for openvz ready to go with cPanel , DirectAdmin , Plesk , Games, IRC Services, Desktop and many more.
* [http://www.voipcomplete.com/product-overview/dedicated-vps.html VOIPcomplete] offers dedicated VPS plans based on CentOS including a VPS management interface.

== Portugal ==

* [http://www.efeito.net/ Weblevel.pt] - OpenVZ virtual servers based in Portugal.

== Singapore ==

* [http://conceptlane.com/IT.php?section=plans_vps ConceptLane Pte Ltd] - OpenVZ VPS on Ubuntu Hardy 8.04 LTS host, on dual dual-core AMD Opterons.

== South Africa ==

* [http://www.SoftDux.co.za/ SoftDux] - OpenVZ virtual servers based America & South Africa. All VPS's come with cPanel or Plesk control panels. XEN VPS's also available.

== UK ==

* [http://www.vt6.co.uk/ VT6 Internet] - Affordable OpenVZ virtual servers based in the UK and USA. Choice of control panels and management options.
* [http://www.weycrest.co.uk/vps-hosting.php Weycrest VPS] - Low Cost, Stable OpenVZ and Parallels' Virtuozzo Virtual Private Server solutions. London UK Hosted at Coreix with a choice of operating systems, and root and control panel options.
* [http://blueroomhosting.com/plans.pxl Blue Room Hosting] - OpenVZ containers hosted at the Bluesquare data centre in Maidenhead, UK
* [http://sysadminman.net/uk-voip-vps.html Trixbox, Elastix and Asterisk VPS in the UK] - OpenVZ based Asterisk VOIP servers based in the UK

== Ukraine ==

* [http://www.gelihost.com/ Geliar Hosting Solutions] - Fast virtual dedicated servers based on OpenVZ. Geliar Hosting Solutions offering many control panels and other useful services.

== USA ==
* [http://www.a2hosting.com/services/vps-hosting/ A2 Hosting] offers affordable, developer friendly OpenVZ VPS Hosting. Experience the A2 Hosting Difference.
* [http://www.bittraffic.com/?cmd=vps BitTraffic] High Quality Hosting Solutions! Affordable, stable, reliable OpenVZ VPS Solutions!
* [http://www.tigerservers.com/ TigerServers] - Provides affordable managed VPS based on OpenVZ. Servers located in Chicago, Illinois.
* [http://www.silverrack.com/ SilverRack VPS Hosting] - SilverRack provides affordable VPS hosting using the OpenVZ platform.
* [http://www.buyavps.com/ BuyAVPS] - BuyAVPS provides stable yet affordable VPS hosting with a great support staff.
* [http://vpslink.com VPSLink.com] provides virtual private server hosting on the OpenVZ platform.
* [http://glesys.se GleSYS] is a hosting company specialized in serverhosting. Also offering VPS hosting mainly based on OpenVZ. GleSYS has provided access to server and Cisco hardware for developers from OpenVZ to find problem with VLAN implementation.
* [http://lylix.net LYLIX] offers affordable VPS hosting with a choice of eight different Linux distributions, dedicated VPS hosting, and specializes in Asterisk/VOIP based hosting including Trixbox, AsteriskNow, Elastix, and PBX-in-a-Flash. Popular choice for unmanaged IP-PBX services; entire infrastructure built on a High-availability (HA) network across three regional NOCs.
* [http://www.servergrove.com ServerGrove] uses OpenVZ as the main virtualization platform for its state of the art VPS hosting services.
* [http://www.tektonic.net TekTonic] provides VPS hosting services using both Virtuozzo and OpenVZ technology.
* [http://www.micfo.com Micfo.com] offers VPS hosting services for both Linux VPS hosting and Window VPS hosting on affordable price combined with world-class 24x7x365 support.
* [http://www.alticon.net Alticon] has provided OpenVZ based VPS/VE hosting for over 2½ years. Many clients use OpenVZ based VEs as a cost effective solution for hosting highly secured, customized versions of ZenCart & WordPress. Other clients use OpenVZ for DNS mirroring, messages board hosting, and general use.
* [http://www.hostingrails.com Hosting Rails] offers Rails-targeted OpenVZ VPS Hosting and updated Rails-ready OS images.
* [http://www.byethost.com Byethost.com] offers OpenVZ based VPS Hosting as its main VPS solution, with the hypervm panel. Centos, Debian, Fedora, OpenSuse and Ubuntu Containers are available.

== Venezuela ==

* [http://www.iguanahosting.com Iguanahosting.com] The Iguanahosting OpenVZ based VEs also called "SDV"(Servidor Dedicado Virtual in Spanish). Running on Full Quality Nodes of up to 8 CPU and 8 GB RAM. XEN VPS's also will be available cooming soon. All VPS's come with cPanel, Fantastico and RVSkin and a Real 24/7/365 Technical Support.

== See also ==

* [[Partners]]
* [[Download mirrors]]
* [[VPS vs Dedicated]]