Difference between revisions of "Talk:Using NAT for container with private IPs"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
 
(Note pour NAT d'IP privée (FR))
 
(9 intermediate revisions by 6 users not shown)
Line 1: Line 1:
There is a mention of "ip_conntrack_enable_ve0" here. I know the new kernels (>= 2.6.15) are using "ip_conntrack_disable_ve0" instead and having it connnection tracking enabled by default. This document should probably be updated to state whatever necessary instructions differences for those new kernel versions. I'd do it, but I'm not confident in my precise knowledge of the issueThanks! --[[User:Dusty|Dusty]] 21:38, 12 November 2006 (EST)
+
== ip_conntrack_disable_ve0=1 ==
 +
I was stumbling a lot with the configuration where allowing access to a service from outside, because I assumed that after adding the iptables DNAT rule, I could test the rule from the hardware node. The rule only works for packets send from outside.
 +
 
 +
I added some text about it now, but maybe someone could rephrase it more nicely.
 +
----
 +
 
 +
<pre>For OpenVZ kernels later than 2.6.8, connection tracking  
 +
for VE0 is enabled by default. However, make sure there is no line like
 +
 
 +
options ip_conntrack ip_conntrack_disable_ve0=1
 +
</pre>
 +
 
 +
It seems to me that here must be =0 ??? Or not?
 +
 
 +
[[User:Shaplov|Shaplov]] 10:27, 23 June 2007 (EDT)
 +
 
 +
: See, it tells there should be '''no''' line that '''disables''' conntrack. --[[User:Kir|Kir]] 14:09, 8 April 2009 (UTC)
 +
 
 +
== How to supply public IPs? ==
 +
 
 +
"Usually you supply public IP addresses to your containers"? How? [[User:Guaka|Guaka]] 14:03, 8 April 2009 (UTC)
 +
: Well, by running <code>vzctl set $CTID --ipadd a.b.c.d --save</code> command (where a.b.c.d is a public IP address) --[[User:Kir|Kir]] 14:06, 8 April 2009 (UTC)
 +
 
 +
== For nuts like me on CentOs6 ==
 +
After several hours I found my config minimal with : gateway 192.168.1.1, host(centos6) 192.168.1.101 and containers 192.168.2.1/23
 +
Probably, it's not clean but it works :
 +
 
 +
Clean in the host the iptables with system-config-firewall-tui where you enable firewall and click on OK :
 +
# system-config-firewall-tui
 +
 
 +
You have now in /etc/sysconfig/iptables :
 +
<pre># Firewall configuration written by system-config-firewall
 +
# Manual customization of this file is not recommended.
 +
*filter
 +
:INPUT ACCEPT [0:0]
 +
:FORWARD ACCEPT [0:0]
 +
:OUTPUT ACCEPT [0:0]
 +
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
-A INPUT -p icmp -j ACCEPT
 +
-A INPUT -i lo -j ACCEPT
 +
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 +
-A INPUT -j REJECT --reject-with icmp-host-prohibited
 +
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
 +
COMMIT
 +
</pre>
 +
 
 +
After enable ip foward in the file "/etc/sysctl.conf" :
 +
net.ipv4.ip_forward = 1
 +
 
 +
You can test :
 +
vzctl start 3
 +
vzctl enter 3
 +
ping 192.168.1.101 => OK
 +
ping 192.168.1.1 => Destination Host Prohibited
 +
 
 +
So after you execute the lines :
 +
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.101
 +
iptables -A FORWARD -s 192.168.2.1/24 -j ACCEPT
 +
iptables -A FORWARD -d 192.168.2.1/24 -j ACCEPT
 +
service iptables save
 +
 
 +
You have now the file /etc/sysconfig/iptables :
 +
<pre># Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
 +
*nat
 +
:PREROUTING ACCEPT [10:683]
 +
:POSTROUTING ACCEPT [0:0]
 +
:OUTPUT ACCEPT [30:1720]
 +
-A POSTROUTING -j SNAT --to-source 192.168.1.101
 +
COMMIT
 +
# Completed on Fri Jul 20 14:31:56 2012
 +
# Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
 +
*filter
 +
:INPUT ACCEPT [0:0]
 +
:FORWARD ACCEPT [0:0]
 +
:OUTPUT ACCEPT [400:53438]
 +
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
-A INPUT -p icmp -j ACCEPT
 +
-A INPUT -i lo -j ACCEPT
 +
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 +
-A INPUT -j REJECT --reject-with icmp-host-prohibited
 +
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
 +
-A FORWARD -s 192.168.2.0/24 -j ACCEPT
 +
-A FORWARD -d 192.168.2.0/24 -j ACCEPT
 +
COMMIT
 +
# Completed on Fri Jul 20 14:31:56 2012
 +
</pre>
 +
 
 +
If you test again it's wrong :
 +
  vzctl enter 3
 +
  ping 192.168.1.1 => Destination Host Prohibited
 +
 
 +
Move the lines with icmp-host-prohibited at the end of file :
 +
<pre># Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
 +
*nat
 +
:PREROUTING ACCEPT [10:683]
 +
:POSTROUTING ACCEPT [0:0]
 +
:OUTPUT ACCEPT [30:1720]
 +
-A POSTROUTING -j SNAT --to-source 192.168.1.101
 +
COMMIT
 +
# Completed on Fri Jul 20 14:31:56 2012
 +
# Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
 +
*filter
 +
:INPUT ACCEPT [0:0]
 +
:FORWARD ACCEPT [0:0]
 +
:OUTPUT ACCEPT [400:53438]
 +
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
-A INPUT -p icmp -j ACCEPT
 +
-A INPUT -i lo -j ACCEPT
 +
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 +
-A FORWARD -s 192.168.2.0/23 -j ACCEPT
 +
-A FORWARD -d 192.168.2.0/23 -j ACCEPT
 +
-A INPUT -j REJECT --reject-with icmp-host-prohibited
 +
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
 +
COMMIT
 +
# Completed on Fri Jul 20 14:31:56 2012
 +
</pre>
 +
 
 +
After restart service :
 +
service iptables restart
 +
 
 +
If you test again it's ok :
 +
vzctl enter 3
 +
ping 192.168.1.1 => ok
 +
 
 +
Config after /etc/resolv.conf :
 +
# Generated by NetworkManager
 +
domain home
 +
search home
 +
nameserver 192.168.1.1
 +
 
 +
Enjoy !
 +
 
 +
== Note pour NAT d'IP privée (FR) ==
 +
 
 +
(cyrille le 18/08/2012)
 +
 
 +
Après quelques moments de galères avec la ligne:
 +
  $iptables -t nat -A POSTROUTING -s $the_private_network -o eth0 -j SNAT --to $the_public_ip
 +
En fait il faut mettre l'interface vmbr0 au lieu de eth0.
 +
  $iptables -t nat -A POSTROUTING -s $the_private_network -o vmbr0 -j SNAT --to $the_public_ip
 +
Et encore mieux, ne pas mettre d'interface:
 +
  $iptables -t nat -A POSTROUTING -s $the_private_network -j SNAT --to $the_public_ip

Latest revision as of 17:26, 18 August 2012

ip_conntrack_disable_ve0=1[edit]

I was stumbling a lot with the configuration where allowing access to a service from outside, because I assumed that after adding the iptables DNAT rule, I could test the rule from the hardware node. The rule only works for packets send from outside.

I added some text about it now, but maybe someone could rephrase it more nicely.


For OpenVZ kernels later than 2.6.8, connection tracking 
for VE0 is enabled by default. However, make sure there is no line like 

options ip_conntrack ip_conntrack_disable_ve0=1

It seems to me that here must be =0 ??? Or not?

Shaplov 10:27, 23 June 2007 (EDT)

See, it tells there should be no line that disables conntrack. --Kir 14:09, 8 April 2009 (UTC)

How to supply public IPs?[edit]

"Usually you supply public IP addresses to your containers"? How? Guaka 14:03, 8 April 2009 (UTC)

Well, by running vzctl set $CTID --ipadd a.b.c.d --save command (where a.b.c.d is a public IP address) --Kir 14:06, 8 April 2009 (UTC)

For nuts like me on CentOs6[edit]

After several hours I found my config minimal with : gateway 192.168.1.1, host(centos6) 192.168.1.101 and containers 192.168.2.1/23 Probably, it's not clean but it works :

Clean in the host the iptables with system-config-firewall-tui where you enable firewall and click on OK :

# system-config-firewall-tui

You have now in /etc/sysconfig/iptables :

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

After enable ip foward in the file "/etc/sysctl.conf" :

net.ipv4.ip_forward = 1

You can test :

vzctl start 3 
vzctl enter 3
ping 192.168.1.101 => OK
ping 192.168.1.1 => Destination Host Prohibited

So after you execute the lines :

iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.101
iptables -A FORWARD -s 192.168.2.1/24 -j ACCEPT
iptables -A FORWARD -d 192.168.2.1/24 -j ACCEPT
service iptables save

You have now the file /etc/sysconfig/iptables :

# Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
*nat
:PREROUTING ACCEPT [10:683]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [30:1720]
-A POSTROUTING -j SNAT --to-source 192.168.1.101
COMMIT
# Completed on Fri Jul 20 14:31:56 2012
# Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [400:53438]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -s 192.168.2.0/24 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -j ACCEPT
COMMIT
# Completed on Fri Jul 20 14:31:56 2012

If you test again it's wrong :

vzctl enter 3
ping 192.168.1.1 => Destination Host Prohibited

Move the lines with icmp-host-prohibited at the end of file :

# Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
*nat
:PREROUTING ACCEPT [10:683]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [30:1720]
-A POSTROUTING -j SNAT --to-source 192.168.1.101
COMMIT
# Completed on Fri Jul 20 14:31:56 2012
# Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [400:53438]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.2.0/23 -j ACCEPT
-A FORWARD -d 192.168.2.0/23 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jul 20 14:31:56 2012

After restart service :

service iptables restart

If you test again it's ok :

vzctl enter 3
ping 192.168.1.1 => ok

Config after /etc/resolv.conf :

# Generated by NetworkManager
domain home
search home
nameserver 192.168.1.1

Enjoy !

Note pour NAT d'IP privée (FR)[edit]

(cyrille le 18/08/2012)

Après quelques moments de galères avec la ligne:

 $iptables -t nat -A POSTROUTING -s $the_private_network -o eth0 -j SNAT --to $the_public_ip

En fait il faut mettre l'interface vmbr0 au lieu de eth0.

 $iptables -t nat -A POSTROUTING -s $the_private_network -o vmbr0 -j SNAT --to $the_public_ip

Et encore mieux, ne pas mettre d'interface:

 $iptables -t nat -A POSTROUTING -s $the_private_network -j SNAT --to $the_public_ip