Difference between revisions of "Using NAT for container with private IPs"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
m (Fixed a link in How to provide access from Internet to VPS)
Line 37: Line 37:
 
</pre>
 
</pre>
  
After applying this, you'll see VPS' web server at http://ip_address:8080/
+
After applying this, you'll see VPS' web server at <nowiki>http://ip_address:8080/</nowiki>.
  
The iptables utility allows to set up more complex rules for Network Address Translation, involving various protocols and ports. If you wish to get more information on this, consult the numerous Internet sites (e.g. [http://www.netfilter.org www.netfilter.org]) and tutorials devoted to this issue.
+
The <tt>iptables</tt> utility allows to set up more complex rules for Network Address Translation, involving various protocols and ports. If you wish to get more information on this, consult the numerous Internet sites (e.g. [http://www.netfilter.org www.netfilter.org]) and tutorials devoted to this issue.
  
 
[[Category: HOWTO]]
 
[[Category: HOWTO]]
 
[[Category: Networking]]
 
[[Category: Networking]]

Revision as of 09:48, 6 June 2006

How to provide access for VE to Internet

To enable the VEs, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the Hardware Node. This is ensured by the standard Linux iptables utility. To perform a simple SNAT setup, execute the following command on the Hardware Node:

# iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address

where src_net is a range of IP addresses of VPSs to be translated by SNAT, and ip_address is the external IP address of your Hardware Node. Multiple rules are allowed, for example, in case you wish to specify several ranges of IP addresses. If you are using a number of physical network interfaces on the Node, you may need to specify a different interface for outgoing connections, e.g. -o eth2.

Yellowpin.svg Note: If you are using stable (currently 2.6.8-based) kernel, then to enable SNAT for the VPSs on your local network you need to explicitly enable connection tracking in VE0.

Make sure that the following string is present in the /etc/modules.conf file:

options ip_conntrack ip_conntrack_enable_ve0=1

In case it is not, add this string to the file by means of any text editor (for example, vi). This setting is not needed for kernels more recent than 2.6.8, since connection tracking for VE0 is enabled by default in those kernels.

To make all IP addresses to be translated by SNAT (not only the ones of VEs with private addresses), you should type the following string:

# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address

How to provide access from Internet to VPS

In addition, to make some services in VPS with internal IP address be accessible from the Internet, DNAT (Destination Network Address Translation) should be configured on the Hardware Node. To perform a simple DNAT setup, execute the following command on the Hardware Node:

# iptables -t nat -A PREROUTING -p tcp -d ip_address --port port_num -i eth0 -j DNAT --to-destination vps_address:dst_port_num 

where vps_address is an IP address of VPS, dst_port_num is a tcp port, which required service use, ip_address is the external IP address of your Hardware Node, and port_num is a tcp port of Hardware Node, which will be used for Internet connections to private VPS service. Note that this setup makes the service, which use port_num on the Hardware Node, be unaccessible from the Internet. Also note that SNAT translation is required too.

For example, if you need a web server in a VPS to be accessible from outside, and, at the same time, keep a web server on the Hardware Node be accessible, use the following config:

# iptables -t nat -A PREROUTING -p tcp -d ip_address -p 8080 -i eth0 -j DNAT --to-destination vps_address:80
# iptables -t nat -A POSTROUTING -s vps_address -o eth0 -j SNAT --to ip_address

After applying this, you'll see VPS' web server at http://ip_address:8080/.

The iptables utility allows to set up more complex rules for Network Address Translation, involving various protocols and ports. If you wish to get more information on this, consult the numerous Internet sites (e.g. www.netfilter.org) and tutorials devoted to this issue.