Difference between revisions of "Using NAT for container with private IPs"
(moved ip_conntract module options to →Prerequisites) |
|||
Line 3: | Line 3: | ||
== Prerequisites == | == Prerequisites == | ||
− | + | === IP forwarding === | |
− | + | IP forwarding should be turned on on hardware node in order for VE networking to work. Make sure it is turned on: | |
− | + | ||
− | options ip_conntrack ip_conntrack_disable_ve0=1 | + | $ cat /proc/sys/net/ipv4/ip_forward |
− | + | 1 | |
− | If there is such | + | |
+ | Output should be '1'. If it is '0', enable IP forwarding as it is described in [[Quick installation#sysctl]]. | ||
+ | |||
+ | === IP conntracks === | ||
+ | IP connection tracking should be enabled for VE0. | ||
+ | |||
+ | '''For OpenVZ kernels 2.6.8''', put the following line into /etc/modprobe.conf: | ||
+ | |||
+ | modprobe ip_conntrack ip_conntrack_enable_ve0=1 | ||
+ | |||
+ | and reboot. | ||
+ | |||
+ | '''For OpenVZ kernels later than 2.6.8''', connection tracking for VE0 is enabled by default. '''However''', make sure there is '''no''' line like | ||
+ | |||
+ | options ip_conntrack ip_conntrack_disable_ve0=1 | ||
+ | |||
+ | in /etc/modules.conf or /etc/modprobe.conf. If there is such line, comment it out (or remove) and reboot. | ||
== How to provide access for VE to Internet == | == How to provide access for VE to Internet == |
Revision as of 22:50, 18 March 2007
Usually you supply public IP addresses to your VEs. Sometimes you don't want to do it (lack of IPs, etc.). This article describes how to use private IP addresses for VEs.
Contents
Prerequisites
IP forwarding
IP forwarding should be turned on on hardware node in order for VE networking to work. Make sure it is turned on:
$ cat /proc/sys/net/ipv4/ip_forward 1
Output should be '1'. If it is '0', enable IP forwarding as it is described in Quick installation#sysctl.
IP conntracks
IP connection tracking should be enabled for VE0.
For OpenVZ kernels 2.6.8, put the following line into /etc/modprobe.conf:
modprobe ip_conntrack ip_conntrack_enable_ve0=1
and reboot.
For OpenVZ kernels later than 2.6.8, connection tracking for VE0 is enabled by default. However, make sure there is no line like
options ip_conntrack ip_conntrack_disable_ve0=1
in /etc/modules.conf or /etc/modprobe.conf. If there is such line, comment it out (or remove) and reboot.
How to provide access for VE to Internet
To enable the VEs, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the Hardware Node. This is ensured by the standard Linux iptables utility. To perform a simple SNAT setup, execute the following command on the Hardware Node:
# iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address
where src_net is a range of IP addresses of VEs to be translated by SNAT, and ip_address is the external IP address of your Hardware Node. Multiple rules are allowed, for example, in case you wish to specify several ranges of IP addresses. If you are using a number of physical network interfaces on the Node, you may need to specify a different interface for outgoing connections, e.g. -o eth2.
To make all IP addresses to be translated by SNAT (not only the ones of VEs with private addresses), you should type the following string:
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address
Note: If the above is not working then check if one of the following solutions does the trick. |
1. If you are using stable (currently 2.6.8-based) kernel, then to enable SNAT for the VEs on your local network you need to explicitly enable connection tracking in VE0. Make sure that the following string is present in the /etc/modprobe.conf file:
options ip_conntrack ip_conntrack_enable_ve0=1
Note: in kernels later than 2.6.8, connection tracking is enabled by default |
In case it is not, add this string to the file by means of any text editor (for example, vi). This setting is not needed for kernels more recent than 2.6.8, since connection tracking for VE0 is enabled by default in those kernels.
2. For unknown reasons the above didn't work on a Debian host. The solution is to do it in an init.d script as follows:
modprobe ip_conntrack ip_conntrack_enable_ve0=1
Make sure that this module is loaded before any of the other iptables-modules are loaded! Also remember that if this module is loaded without the option, unloading and reloading doesn't work! You need to reboot the computer.
Note: in kernels later than 2.6.8, connection tracking is enabled by default |
How to provide access from Internet to a VE
In addition, to make some services in VE with private IP address be accessible from the Internet, DNAT (Destination Network Address Translation) should be configured on the Hardware Node. To perform a simple DNAT setup, execute the following command on the Hardware Node:
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport port_num \ -i eth0 -j DNAT --to-destination ve_address:dst_port_num
where ve_address is an IP address of the VE, dst_port_num is a tcp port which requires service use, ip_address is the external (public) IP address of your Hardware Node, and port_num is a tcp port of Hardware Node, which will be used for Internet connections to private VE service. Note that this setup makes the service which is using port_num on the Hardware Node be unaccessible from the Internet. Also note that SNAT translation is required too.
For example, if you need a web server in a VE to be accessible from outside and, at the same time, keep a web server on the Hardware Node be accessible, use the following config:
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport 8080 \ -i eth0 -j DNAT --to-destination ve_address:80 # iptables -t nat -A POSTROUTING -s ve_address -o eth0 -j SNAT --to ip_address
After applying this, you'll see VE' web server at http://ip_address:8080/
.
The iptables utility allows to set up more complex rules for Network Address Translation, involving various protocols and ports. If you wish to get more information on this, consult the numerous Internet sites (e.g. netfilter.org) and tutorials devoted to this issue.