Open main menu

OpenVZ Virtuozzo Containers Wiki β

Changes

Talk:Using NAT for container with private IPs

3,361 bytes added, 12:46, 20 July 2012
no edit summary
"Usually you supply public IP addresses to your containers"? How? [[User:Guaka|Guaka]] 14:03, 8 April 2009 (UTC)
: Well, by running <code>vzctl set $CTID --ipadd a.b.c.d --save</code> command (where a.b.c.d is a public IP address) --[[User:Kir|Kir]] 14:06, 8 April 2009 (UTC)
 
== For nuts like me on CentOs6 ==
After several hours I found my config minimal with : gateway 192.168.1.1, host(centos6) 192.168.1.101 and containers 192.168.2.1/23
Probably, it's not clean but it works :
 
Clean in the host the iptables with system-config-firewall-tui where you enable firewall and click on OK :
# system-config-firewall-tui
 
You have now in /etc/sysconfig/iptables :
<pre># Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</pre>
 
After enable ip foward in the file "/etc/sysctl.conf" :
net.ipv4.ip_forward = 1
 
You can test :
vzctl start 3
vzctl enter 3
ping 192.168.1.101 => OK
ping 192.168.1.1 => Destination Host Prohibited
 
So after you execute the lines :
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.101
iptables -A FORWARD -s 192.168.2.1/24 -j ACCEPT
iptables -A FORWARD -d 192.168.2.1/24 -j ACCEPT
service iptables save
 
You have now the file /etc/sysconfig/iptables :
<pre># Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
*nat
:PREROUTING ACCEPT [10:683]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [30:1720]
-A POSTROUTING -j SNAT --to-source 192.168.1.101
COMMIT
# Completed on Fri Jul 20 14:31:56 2012
# Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [400:53438]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -s 192.168.2.0/24 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -j ACCEPT
COMMIT
# Completed on Fri Jul 20 14:31:56 2012
</pre>
 
If you test again it's wrong :
vzctl enter 3
ping 192.168.1.1 => Destination Host Prohibited
 
Move the lines with icmp-host-prohibited at the end of file :
<pre># Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
*nat
:PREROUTING ACCEPT [10:683]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [30:1720]
-A POSTROUTING -j SNAT --to-source 192.168.1.101
COMMIT
# Completed on Fri Jul 20 14:31:56 2012
# Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [400:53438]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.2.0/23 -j ACCEPT
-A FORWARD -d 192.168.2.0/23 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jul 20 14:31:56 2012
</pre>
 
After restart service :
service iptables restart
 
If you test again it's ok :
vzctl enter 3
ping 192.168.1.1 => ok
 
Config after /etc/resolv.conf :
# Generated by NetworkManager
domain home
search home
nameserver 192.168.1.1
 
Enjoy !
Anonymous user