Latest revision |
Your text |
Line 1: |
Line 1: |
− | == ip_conntrack_disable_ve0=1 ==
| |
| I was stumbling a lot with the configuration where allowing access to a service from outside, because I assumed that after adding the iptables DNAT rule, I could test the rule from the hardware node. The rule only works for packets send from outside. | | I was stumbling a lot with the configuration where allowing access to a service from outside, because I assumed that after adding the iptables DNAT rule, I could test the rule from the hardware node. The rule only works for packets send from outside. |
| | | |
Line 14: |
Line 13: |
| | | |
| [[User:Shaplov|Shaplov]] 10:27, 23 June 2007 (EDT) | | [[User:Shaplov|Shaplov]] 10:27, 23 June 2007 (EDT) |
− |
| |
− | : See, it tells there should be '''no''' line that '''disables''' conntrack. --[[User:Kir|Kir]] 14:09, 8 April 2009 (UTC)
| |
− |
| |
− | == How to supply public IPs? ==
| |
− |
| |
− | "Usually you supply public IP addresses to your containers"? How? [[User:Guaka|Guaka]] 14:03, 8 April 2009 (UTC)
| |
− | : Well, by running <code>vzctl set $CTID --ipadd a.b.c.d --save</code> command (where a.b.c.d is a public IP address) --[[User:Kir|Kir]] 14:06, 8 April 2009 (UTC)
| |
− |
| |
− | == For nuts like me on CentOs6 ==
| |
− | After several hours I found my config minimal with : gateway 192.168.1.1, host(centos6) 192.168.1.101 and containers 192.168.2.1/23
| |
− | Probably, it's not clean but it works :
| |
− |
| |
− | Clean in the host the iptables with system-config-firewall-tui where you enable firewall and click on OK :
| |
− | # system-config-firewall-tui
| |
− |
| |
− | You have now in /etc/sysconfig/iptables :
| |
− | <pre># Firewall configuration written by system-config-firewall
| |
− | # Manual customization of this file is not recommended.
| |
− | *filter
| |
− | :INPUT ACCEPT [0:0]
| |
− | :FORWARD ACCEPT [0:0]
| |
− | :OUTPUT ACCEPT [0:0]
| |
− | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
| |
− | -A INPUT -p icmp -j ACCEPT
| |
− | -A INPUT -i lo -j ACCEPT
| |
− | -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
| |
− | -A INPUT -j REJECT --reject-with icmp-host-prohibited
| |
− | -A FORWARD -j REJECT --reject-with icmp-host-prohibited
| |
− | COMMIT
| |
− | </pre>
| |
− |
| |
− | After enable ip foward in the file "/etc/sysctl.conf" :
| |
− | net.ipv4.ip_forward = 1
| |
− |
| |
− | You can test :
| |
− | vzctl start 3
| |
− | vzctl enter 3
| |
− | ping 192.168.1.101 => OK
| |
− | ping 192.168.1.1 => Destination Host Prohibited
| |
− |
| |
− | So after you execute the lines :
| |
− | iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.101
| |
− | iptables -A FORWARD -s 192.168.2.1/24 -j ACCEPT
| |
− | iptables -A FORWARD -d 192.168.2.1/24 -j ACCEPT
| |
− | service iptables save
| |
− |
| |
− | You have now the file /etc/sysconfig/iptables :
| |
− | <pre># Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
| |
− | *nat
| |
− | :PREROUTING ACCEPT [10:683]
| |
− | :POSTROUTING ACCEPT [0:0]
| |
− | :OUTPUT ACCEPT [30:1720]
| |
− | -A POSTROUTING -j SNAT --to-source 192.168.1.101
| |
− | COMMIT
| |
− | # Completed on Fri Jul 20 14:31:56 2012
| |
− | # Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
| |
− | *filter
| |
− | :INPUT ACCEPT [0:0]
| |
− | :FORWARD ACCEPT [0:0]
| |
− | :OUTPUT ACCEPT [400:53438]
| |
− | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
| |
− | -A INPUT -p icmp -j ACCEPT
| |
− | -A INPUT -i lo -j ACCEPT
| |
− | -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
| |
− | -A INPUT -j REJECT --reject-with icmp-host-prohibited
| |
− | -A FORWARD -j REJECT --reject-with icmp-host-prohibited
| |
− | -A FORWARD -s 192.168.2.0/24 -j ACCEPT
| |
− | -A FORWARD -d 192.168.2.0/24 -j ACCEPT
| |
− | COMMIT
| |
− | # Completed on Fri Jul 20 14:31:56 2012
| |
− | </pre>
| |
− |
| |
− | If you test again it's wrong :
| |
− | vzctl enter 3
| |
− | ping 192.168.1.1 => Destination Host Prohibited
| |
− |
| |
− | Move the lines with icmp-host-prohibited at the end of file :
| |
− | <pre># Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
| |
− | *nat
| |
− | :PREROUTING ACCEPT [10:683]
| |
− | :POSTROUTING ACCEPT [0:0]
| |
− | :OUTPUT ACCEPT [30:1720]
| |
− | -A POSTROUTING -j SNAT --to-source 192.168.1.101
| |
− | COMMIT
| |
− | # Completed on Fri Jul 20 14:31:56 2012
| |
− | # Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
| |
− | *filter
| |
− | :INPUT ACCEPT [0:0]
| |
− | :FORWARD ACCEPT [0:0]
| |
− | :OUTPUT ACCEPT [400:53438]
| |
− | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
| |
− | -A INPUT -p icmp -j ACCEPT
| |
− | -A INPUT -i lo -j ACCEPT
| |
− | -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
| |
− | -A FORWARD -s 192.168.2.0/23 -j ACCEPT
| |
− | -A FORWARD -d 192.168.2.0/23 -j ACCEPT
| |
− | -A INPUT -j REJECT --reject-with icmp-host-prohibited
| |
− | -A FORWARD -j REJECT --reject-with icmp-host-prohibited
| |
− | COMMIT
| |
− | # Completed on Fri Jul 20 14:31:56 2012
| |
− | </pre>
| |
− |
| |
− | After restart service :
| |
− | service iptables restart
| |
− |
| |
− | If you test again it's ok :
| |
− | vzctl enter 3
| |
− | ping 192.168.1.1 => ok
| |
− |
| |
− | Config after /etc/resolv.conf :
| |
− | # Generated by NetworkManager
| |
− | domain home
| |
− | search home
| |
− | nameserver 192.168.1.1
| |
− |
| |
− | Enjoy !
| |
− |
| |
− | == Note pour NAT d'IP privée (FR) ==
| |
− |
| |
− | (cyrille le 18/08/2012)
| |
− |
| |
− | Après quelques moments de galères avec la ligne:
| |
− | $iptables -t nat -A POSTROUTING -s $the_private_network -o eth0 -j SNAT --to $the_public_ip
| |
− | En fait il faut mettre l'interface vmbr0 au lieu de eth0.
| |
− | $iptables -t nat -A POSTROUTING -s $the_private_network -o vmbr0 -j SNAT --to $the_public_ip
| |
− | Et encore mieux, ne pas mettre d'interface:
| |
− | $iptables -t nat -A POSTROUTING -s $the_private_network -j SNAT --to $the_public_ip
| |