Editing Using NAT for container with private IPs
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 2: | Line 2: | ||
== Prerequisites == | == Prerequisites == | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== IP forwarding === | === IP forwarding === | ||
− | + | IP forwarding should be turned on on hardware node in order for container networking to work. Make sure it is turned on: | |
− | |||
$ cat /proc/sys/net/ipv4/ip_forward | $ cat /proc/sys/net/ipv4/ip_forward | ||
Line 30: | Line 15: | ||
[https://bugs.launchpad.net/ubuntu/+source/procps/+bug/84537 Launchpad] | [https://bugs.launchpad.net/ubuntu/+source/procps/+bug/84537 Launchpad] | ||
− | The syntax of /etc/sysctl.conf has changed to: | + | The syntax of /etc/sysctl.conf has changed to : |
<pre>net.ipv4.conf.default.forwarding=1 | <pre>net.ipv4.conf.default.forwarding=1 | ||
net.ipv4.conf.all.forwarding=1</pre> | net.ipv4.conf.all.forwarding=1</pre> | ||
− | === | + | === IP conntracks === |
+ | IP connection tracking should be enabled for CT0. | ||
− | + | '''For OpenVZ kernels 2.6.8''', put the following line into /etc/modprobe.conf: | |
− | + | modprobe ip_conntrack ip_conntrack_enable_ve0=1 | |
− | |||
− | |||
− | |||
− | + | and reboot. | |
− | + | '''For OpenVZ kernels later than 2.6.8''', connection tracking for CT0 is enabled by default. '''However''', make sure there is '''no''' line like | |
− | + | options ip_conntrack ip_conntrack_disable_ve0=1 | |
− | |||
− | |||
− | + | in /etc/modules.conf or /etc/modprobe.conf. If there is such line, comment it out (or remove) and reboot. | |
− | |||
− | + | == How to provide access for container to Internet == | |
− | + | To enable the [[container]]s, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility. To perform a simple SNAT setup, execute the following command on the [[Hardware Node]]: | |
− | |||
− | |||
− | |||
− | To enable the [[container]]s, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility. | ||
− | |||
− | To perform a simple SNAT setup, execute the following command on the [[Hardware Node]]: | ||
<pre> | <pre> | ||
# iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address | # iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address | ||
</pre> | </pre> | ||
− | where <tt>src_net</tt> is a range of IP addresses of containers to be translated by SNAT, and <tt>ip_address</tt> is the external IP address of your [[Hardware Node]]. | + | where <tt>src_net</tt> is a range of IP addresses of containers to be translated by SNAT, and <tt>ip_address</tt> is the external IP address of your [[Hardware Node]]. Multiple rules are allowed, for example, in case you wish to specify several ranges of IP addresses. If you are using a number of physical network interfaces on the [[Hardware Node|Node]], you may need to specify a different interface for outgoing connections, e.g. <tt>-o eth2</tt>. |
− | |||
− | |||
− | |||
− | |||
− | Multiple rules are allowed, for example, in case you wish to specify several ranges of IP addresses. If you are using a number of physical network interfaces on the [[Hardware Node|Node]], you may need to specify a different interface for outgoing connections, e.g. <tt>-o eth2</tt>. | ||
To make all IP addresses to be translated by SNAT (not only the ones of [[container]]s with private addresses), you should type the following string: | To make all IP addresses to be translated by SNAT (not only the ones of [[container]]s with private addresses), you should type the following string: | ||
Line 80: | Line 49: | ||
</pre> | </pre> | ||
− | + | {{Note|If the above is not working then check if one of the following solutions does the trick.}} | |
+ | 1. If you are using stable (currently 2.6.8-based) kernel, then to enable SNAT for the containers on your local network you need to explicitly enable connection tracking in [[CT0]]. Make sure that the following string is present in the <tt>/etc/modprobe.conf</tt> file: | ||
+ | <pre> | ||
+ | options ip_conntrack ip_conntrack_enable_ve0=1 | ||
+ | </pre> | ||
− | + | {{Note|in kernels later than 2.6.8, connection tracking is enabled by default}} | |
− | + | In case it is not, add this string to the file by means of any text editor (for example, vi). This setting is not needed for kernels more recent than 2.6.8, since connection tracking for [[CT0]] is enabled by default in those kernels. | |
− | + | 2. For unknown reasons the above didn't work on a Debian host. The solution is to do it in an init.d script as follows: | |
− | + | <pre> | |
− | + | modprobe ip_conntrack ip_conntrack_enable_ve0=1 | |
− | + | </pre> | |
+ | Make sure that this module is loaded before any of the other iptables-modules are loaded! Also remember that if this module is loaded without the option, unloading and reloading doesn't work! You need to reboot the computer. | ||
− | + | {{Note|in kernels later than 2.6.8, connection tracking is enabled by default}} | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== How to provide access from Internet to a container == | == How to provide access from Internet to a container == | ||
Line 125: | Line 83: | ||
# iptables -t nat -A POSTROUTING -s ve_address -o eth0 -j SNAT --to ip_address | # iptables -t nat -A POSTROUTING -s ve_address -o eth0 -j SNAT --to ip_address | ||
</pre> | </pre> | ||
− | |||
− | |||
After applying this, you'll see container' web server at <code><nowiki>http://ip_address:8080/</nowiki></code>. | After applying this, you'll see container' web server at <code><nowiki>http://ip_address:8080/</nowiki></code>. |