There is == ip_conntrack_disable_ve0=1 ==I was stumbling a lot with the configuration where allowing access to a mention of "ip_conntrack_enable_ve0" hereservice from outside, because I assumed that after adding the iptables DNAT rule, I could test the rule from the hardware node. The rule only works for packets send from outside.  I know the new added some text about it now, but maybe someone could rephrase it more nicely.---- <pre>For OpenVZ kernels (>= later than 2.6.15) are using "ip_conntrack_disable_ve0" instead and having it connnection 8, connection tracking for VE0 is enabled by default. This document However, make sure there is no line like  options ip_conntrack ip_conntrack_disable_ve0=1</pre> It seems to me that here must be =0 ??? Or not? [[User:Shaplov|Shaplov]] 10:27, 23 June 2007 (EDT) : See, it tells there should probably be updated '''no''' line that '''disables''' conntrack. --[[User:Kir|Kir]] 14:09, 8 April 2009 (UTC) == How to state whatever necessary instructions differences for those new kernel versionssupply public IPs? == "Usually you supply public IP addresses to your containers"? How? [[User:Guaka|Guaka]] 14:03, 8 April 2009 (UTC): Well, by running <code>vzctl set $CTID --ipadd a.b.c.d --save</code> command (where a.b.c. I'd do itis a public IP address) --[[User:Kir|Kir]] 14:06, but 8 April 2009 (UTC) == For nuts like me on CentOs6 ==After several hours Ifound my config minimal with : gateway 192.168.1.1, host(centos6) 192.168.1.101 and containers 192.168.2.1/23Probably, it'm s not confident clean but it works : Clean in my precise knowledge the host the iptables with system-config-firewall-tui where you enable firewall and click on OK : # system-config-firewall-tui You have now in /etc/sysconfig/iptables :<pre># Firewall configuration written by system-config-firewall# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT</pre> After enable ip foward in the file "/etc/sysctl.conf" : net.ipv4.ip_forward = 1 You can test : vzctl start 3 vzctl enter 3 ping 192.168.1.101 => OK ping 192.168.1.1 => Destination Host Prohibited So after you execute the lines : iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.101 iptables -A FORWARD -s 192.168.2.1/24 -j ACCEPT iptables -A FORWARD -d 192.168.2.1/24 -j ACCEPT service iptables save You have now the issuefile /etc/sysconfig/iptables :<pre># Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012*nat:PREROUTING ACCEPT [10:683]:POSTROUTING ACCEPT [0:0]:OUTPUT ACCEPT [30:1720]-A POSTROUTING -j SNAT --to-source 192.168.1.101COMMIT# Completed on Fri Jul 20 14:31:56 2012# Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [400:53438]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited-A FORWARD -s 192. 168.2.0/24 -j ACCEPT-A FORWARD -d 192.168.2.0/24 -j ACCEPTCOMMIT# Completed on Fri Jul 20 14:31:56 2012</pre> If you test again it's wrong : Thanks! vzctl enter 3 ping 192.168.1.1 => Destination Host Prohibited Move the lines with icmp-host-prohibited at the end of file :<pre># Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012*nat:PREROUTING ACCEPT [10:683]:POSTROUTING ACCEPT [0:0]:OUTPUT ACCEPT [30:1720]-A POSTROUTING -j SNAT --to-source 192.168.1.101COMMIT# Completed on Fri Jul 20 14:31:56 2012# Generated by iptables-save v1.4.7 on Fri Jul 20 14:31:56 2012*filter:INPUT ACCEPT [User0:Dusty|Dusty0]:FORWARD ACCEPT [0:0] 21:38OUTPUT ACCEPT [400:53438]-A INPUT -m state --state RELATED, 12 November 2006 ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A FORWARD -s 192.168.2.0/23 -j ACCEPT-A FORWARD -d 192.168.2.0/23 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT# Completed on Fri Jul 20 14:31:56 2012</pre> After restart service : service iptables restart If you test again it's ok : vzctl enter 3 ping 192.168.1.1 => ok Config after /etc/resolv.conf : # Generated by NetworkManager domain home search home nameserver 192.168.1.1 Enjoy ! == Note pour NAT d'IP privée (FR) == (ESTcyrille le 18/08/2012) Après quelques moments de galères avec la ligne: $iptables -t nat -A POSTROUTING -s $the_private_network -o eth0 -j SNAT --to $the_public_ipEn fait il faut mettre l'interface vmbr0 au lieu de eth0. $iptables -t nat -A POSTROUTING -s $the_private_network -o vmbr0 -j SNAT --to $the_public_ipEt encore mieux, ne pas mettre d'interface: $iptables -t nat -A POSTROUTING -s $the_private_network -j SNAT --to $the_public_ip