Editing Using NAT for container with private IPs
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 6: | Line 6: | ||
=== IP conntracks === | === IP conntracks === | ||
− | |||
'''IP connection tracking should be enabled for CT0'''. For recent OpenVZ kernels (2.6.9 and later) connection tracking for CT0 is enabled by default, but it can be disabled by vzctl 4.7 and newer (because it has a negative impact on venet performance, see {{Bug|2755}}). So, make sure there is '''NO''' line like | '''IP connection tracking should be enabled for CT0'''. For recent OpenVZ kernels (2.6.9 and later) connection tracking for CT0 is enabled by default, but it can be disabled by vzctl 4.7 and newer (because it has a negative impact on venet performance, see {{Bug|2755}}). So, make sure there is '''NO''' line like | ||
Line 13: | Line 12: | ||
options nf_conntrack ip_conntrack_disable_ve0=1 | options nf_conntrack ip_conntrack_disable_ve0=1 | ||
− | in <code>/etc/modules.conf</code>, <code>/etc/modprobe.conf</code>, or any file under <code>/etc/modprobe.d/</code> (such as <code>/etc/modprobe.d/ | + | in <code>/etc/modules.conf</code>, <code>/etc/modprobe.conf</code>, or any file under <code>/etc/modprobe.d/</code> (such as <code>/etc/modprobe.d/parallels.conf</code>). '''If there is such a line, please''' |
#change <code>=1</code> to <code>=0</code> | #change <code>=1</code> to <code>=0</code> | ||
#reboot the node. | #reboot the node. | ||
Line 30: | Line 29: | ||
[https://bugs.launchpad.net/ubuntu/+source/procps/+bug/84537 Launchpad] | [https://bugs.launchpad.net/ubuntu/+source/procps/+bug/84537 Launchpad] | ||
− | The syntax of /etc/sysctl.conf has changed to: | + | The syntax of /etc/sysctl.conf has changed to : |
<pre>net.ipv4.conf.default.forwarding=1 | <pre>net.ipv4.conf.default.forwarding=1 | ||
net.ipv4.conf.all.forwarding=1</pre> | net.ipv4.conf.all.forwarding=1</pre> | ||
− | + | == How to provide access for container to Internet == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == How to | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | To enable the [[container]]s, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility. To perform a simple SNAT setup, execute the following command on the [[Hardware Node]]: | |
− | |||
− | To enable the [[container]]s, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility. | ||
− | |||
− | To perform a simple SNAT setup, execute the following command on the [[Hardware Node]]: | ||
<pre> | <pre> | ||
# iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address | # iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address | ||
Line 80: | Line 53: | ||
</pre> | </pre> | ||
− | Or you can | + | Or you can use: |
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | ||
− | + | To save new iptables rules: | |
− | |||
− | |||
# service iptables save | # service iptables save | ||
− | |||
=== Firewall === | === Firewall === | ||
Line 101: | Line 71: | ||
# iptables -A RH-Firewall-1-INPUT -s 192.168.2.0/24 -j ACCEPT | # iptables -A RH-Firewall-1-INPUT -s 192.168.2.0/24 -j ACCEPT | ||
+ | # iptables-save > /etc/sysconfig/iptables | ||
+ | # service iptables restart | ||
+ | |||
+ | === Nameserver === | ||
+ | |||
+ | Make sure in-CT nameserver is set. The easiest way to do it is: | ||
+ | |||
+ | # vzctl set $CTID --nameserver inherit | ||
=== Test === | === Test === | ||
Line 106: | Line 84: | ||
Now you should be able to reach internet from your container: | Now you should be able to reach internet from your container: | ||
− | # | + | # vzctl exec $CTID ping openvz.org |
− | |||
== How to provide access from Internet to a container == | == How to provide access from Internet to a container == |