Editing Using NAT for container with private IPs
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 6: | Line 6: | ||
=== IP conntracks === | === IP conntracks === | ||
− | |||
'''IP connection tracking should be enabled for CT0'''. For recent OpenVZ kernels (2.6.9 and later) connection tracking for CT0 is enabled by default, but it can be disabled by vzctl 4.7 and newer (because it has a negative impact on venet performance, see {{Bug|2755}}). So, make sure there is '''NO''' line like | '''IP connection tracking should be enabled for CT0'''. For recent OpenVZ kernels (2.6.9 and later) connection tracking for CT0 is enabled by default, but it can be disabled by vzctl 4.7 and newer (because it has a negative impact on venet performance, see {{Bug|2755}}). So, make sure there is '''NO''' line like | ||
Line 13: | Line 12: | ||
options nf_conntrack ip_conntrack_disable_ve0=1 | options nf_conntrack ip_conntrack_disable_ve0=1 | ||
− | in <code>/etc/modules.conf</code>, <code>/etc/modprobe.conf</code>, or any file under <code>/etc/modprobe.d/</code> (such as <code>/etc/modprobe.d/ | + | in <code>/etc/modules.conf</code>, <code>/etc/modprobe.conf</code>, or any file under <code>/etc/modprobe.d/</code> (such as <code>/etc/modprobe.d/parallels.conf</code>). '''If there is such a line, please''' |
#change <code>=1</code> to <code>=0</code> | #change <code>=1</code> to <code>=0</code> | ||
#reboot the node. | #reboot the node. | ||
Line 30: | Line 29: | ||
[https://bugs.launchpad.net/ubuntu/+source/procps/+bug/84537 Launchpad] | [https://bugs.launchpad.net/ubuntu/+source/procps/+bug/84537 Launchpad] | ||
− | The syntax of /etc/sysctl.conf has changed to: | + | The syntax of /etc/sysctl.conf has changed to : |
<pre>net.ipv4.conf.default.forwarding=1 | <pre>net.ipv4.conf.default.forwarding=1 | ||
net.ipv4.conf.all.forwarding=1</pre> | net.ipv4.conf.all.forwarding=1</pre> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== How to create the container and attach network properties to it == | == How to create the container and attach network properties to it == | ||
Line 84: | Line 74: | ||
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | ||
− | + | To save new iptables rules: | |
− | |||
− | |||
# service iptables save | # service iptables save | ||
− | |||
=== Firewall === | === Firewall === | ||
Line 101: | Line 88: | ||
# iptables -A RH-Firewall-1-INPUT -s 192.168.2.0/24 -j ACCEPT | # iptables -A RH-Firewall-1-INPUT -s 192.168.2.0/24 -j ACCEPT | ||
+ | # iptables-save > /etc/sysconfig/iptables | ||
+ | # service iptables restart | ||
=== Test === | === Test === | ||
− | Now you should be able to reach internet from your container: | + | Now you should be able to reach internet from your container (for Virtuozzo 6 only): |
− | # | + | # vzctl exec $CTID ping openvz.org |
− | |||
== How to provide access from Internet to a container == | == How to provide access from Internet to a container == |