Open main menu

OpenVZ Virtuozzo Containers Wiki β

Changes

Using NAT for container with private IPs

66 bytes added, 09:52, 17 August 2016
no edit summary
=== IP conntracks ===
 
'''IP connection tracking should be enabled for CT0'''. For recent OpenVZ kernels (2.6.9 and later) connection tracking for CT0 is enabled by default, but it can be disabled by vzctl 4.7 and newer (because it has a negative impact on venet performance, see {{Bug|2755}}). So, make sure there is '''NO''' line like
options nf_conntrack ip_conntrack_disable_ve0=1
in <code>/etc/modules.conf</code>, <code>/etc/modprobe.conf</code>, or any file under <code>/etc/modprobe.d/</code> (such as <code>/etc/modprobe.d/parallelsvz.conf</code>). '''If there is such a line, please'''
#change <code>=1</code> to <code>=0</code>
#Reboot reboot the node.
=== IP forwarding ===
[https://bugs.launchpad.net/ubuntu/+source/procps/+bug/84537 Launchpad]
The syntax of /etc/sysctl.conf has changed to :
<pre>net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1</pre>
=== How to use Enable iptables instead of firewalld in OpenVZ7 OpenVZ 7/Virtuozzo 7=== If you use OpenVZ 7/Virtuozzo 7 and want to manage iptables through iptables-services you must disable firewalld and enable iptables:
firewalld was introduced with CentOS 7 to manage iptables. If you prefer classic iptables management please follow these steps.
First, stop and mask the firewalld service:
# systemctl stop firewalld
# systemctl mask firewalld
Then, install the iptables-services package:
# yum install iptables-services
Enable # systemctl enable iptables  == How to create the service at boot-timecontainer and attach network properties to it == Create the container:  # systemctl enable iptablesprlctl create 100700 --vmtype ct Managing Attach the serviceinternal IP address and DNS server:  # prlctl set 100700 --ipadd 192.168.0.101/24 # systemctl [stop|start|restart] iptablesprlctl set 100700 --nameserver 8.8.8.8 Saving your firewall rules can be done as followsStart the container:  # service iptables saveprlctl start 100700 == How to provide access for container to the Internet ==
== How To enable the [[container]]s, which have only internal IP addresses, to provide access for container to the Internet ==, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility.
To enable the [[container]]s, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility. To perform a simple SNAT setup, execute the following command on the [[Hardware Node]]:
<pre>
# iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address
</pre>
 
Or you can just use:
 
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
=== Save new iptables rules ===
 
Do not forget to save your new iptables rules
 
# service iptables save
# service iptables restart
=== Firewall ===
# iptables -A RH-Firewall-1-INPUT -s 192.168.2.0/24 -j ACCEPT
# iptables-save > /etc/sysconfig/iptables
# service iptables restart
 
 
=== Nameserver ===
 
Make sure in-CT nameserver is set. The easiest way to do it is:
 
# vzctl set $CTID --nameserver inherit
=== Test ===
Now you should be able to reach internet from your container:
# vzctl exec $CTID prlctl enter 100700 # ping openvz.org
== How to provide access from Internet to a container ==
Anonymous user
Retrieved from "https://wiki.openvz.org/Special:MobileDiff/17609...20923"