== How to provide access for VPS to Internet Prerequisites ==

Make sure that below prerequisites are met, otherwise it won't work for you! === IP conntracks === '''IP connection tracking should be enabled for CT0'''. For recent OpenVZ kernels (2.6.9 and later) connection tracking for CT0 is enabled by default, but it can be disabled by vzctl 4.7 and newer (because it has a negative impact on venet performance, see {{Bug|2755}}). So, make sure there is '''NO''' line like  options ip_conntrack ip_conntrack_disable_ve0=1or options nf_conntrack ip_conntrack_disable_ve0=1 in <code>/etc/modules.conf</code>, <code>/etc/modprobe.conf</code>, or any file under <code>/etc/modprobe.d/</code> (such as <code>/etc/modprobe.d/vz.conf</code>). '''If there is such a line, please'''#change <code>=1</code> to <code>=0</code> #reboot the node. === IP forwarding === '''IP forwarding should be turned on''' on the hardware node in order for container networking to work. Make sure it is turned on:  $ cat /proc/sys/net/ipv4/ip_forward 1 Output should be '1'. If it is '0', enable IP forwarding as it is described in [[Quick installation#sysctl]]. NOTE: '''Ubuntu''' made some changes to the syntax for NAT. See this link if you are needing to enable NAT on an Ubuntu host : [https://bugs.launchpad.net/ubuntu/+source/procps/+bug/84537 Launchpad] The syntax of /etc/sysctl.conf has changed to: <pre>net.ipv4.conf.default.forwarding=1net.ipv4.conf.all.forwarding=1</pre> ===Enable iptables in OpenVZ 7/Virtuozzo 7=== If you use OpenVZ 7/Virtuozzo 7 and want to manage iptables through iptables-services you must disable firewalld and enable iptables:  # systemctl stop firewalld # systemctl mask firewalld # yum install iptables-services # systemctl enable iptables  == How to create the container and attach network properties to it == Create the container:  # prlctl create 100700 --vmtype ct Attach the internal IP address and DNS server:  # prlctl set 100700 --ipadd 192.168.0.101/24 # prlctl set 100700 --nameserver 8.8.8.8 Start the container:  # prlctl start 100700 == How to provide access for container to the Internet == To enable the VPSs[[container]]s, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables </tt> utility.  To perform a simple SNAT setup, execute the following command on the [[Hardware Node]]:

where <tt>src_net </tt> is a range of IP addresses of VPSs containers to be translated by SNAT, and <tt>ip_address </tt> is the external IP address of your [[Hardware Node]]. Multiple rules are allowed, for example, in case you wish to specify several ranges The format of IP addressessrc_net is xx. If you are using a number of physical network interfaces on the Node, you may need to specify a different interface for outgoing connections, exx.gxx. -o eth2. Notexx/xx ([[w: If you are using stable (2.6.8-basedCIDR|CIDR notation]]) kernel, then to enable SNAT for the VPSs on your local network you should also make sure that the following string is present in the /etc/modules.conf fileFor example:

In case it is notMultiple rules are allowed, add this string to the file by means of any text editor (for example, vi)in case you wish to specify several ranges of IP addresses. This setting is not needed If you are using a number of physical network interfaces on the [[Hardware Node|Node]], you may need to specify a different interface for kernels more recent than 2outgoing connections, e.6g.8, since connection tracking for VE0 is enabled by default in those kernels<tt>-o eth2</tt>.

To make all IP addresses to be translated by SNAT (not only the ones of VPSs [[container]]s with private addresses), you should type the following string:

Or you can just use:  # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE == How = Save new iptables rules === Do not forget to save your new iptables rules  # service iptables save # service iptables restart === Firewall === For Debian hardware node, you may need to provide access allow a forward rule. The table still being the default table (filter) but the chain is FORWARD:  # iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT # iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT For default RedHat/CentOS firewall, allow outgoing connections from Internet to VPS your containers, for example:  # iptables -A RH-Firewall-1-INPUT -s 192.168.2.0/24 -j ACCEPT === Test === Now you should be able to reach internet from your container:

# prlctl enter 100700 # ping openvz.org == How to provide access from Internet to a container == In addition, to make some services in VPS container with internal private IP address be accessible from the Internet, DNAT (Destination Network Address Translation) should be configured on the [[Hardware Node]]. To perform a simple DNAT setup, execute the following command on the [[Hardware Node]]:

# iptables -t nat -A PREROUTING -p tcp -d ip_address --port dport port_num \ -i eth0 -j DNAT --to-destination vps_addressve_address:dst_port_num

where vps_address <tt>ve_address</tt> is an IP address of VPSthe container, <tt>dst_port_num </tt> is a tcp port, which required requires service use, <tt>ip_address </tt> is the external (public) IP address of your [[Hardware Node]], and <tt>port_num </tt> is a tcp port of [[Hardware Node]], which will be used for Internet connections to private VPS container service. Note that this setup makes the service, which use is using <tt>port_num </tt> on the [[Hardware Node, ]] be unaccessible from the Internet. Also note that SNAT translation is required too.

For example, if you need a web server in a VPS container to be accessible from outside, and, at the same time, keep a web server on the [[Hardware Node ]] be accessible, use the following config:

# iptables -t nat -A PREROUTING -p tcp -d ip_address -p -dport 8080 \ -i eth0 -j DNAT --to-destination vps_addressve_address:80# iptables -t nat -A POSTROUTING -s vps_address ve_address -o eth0 -j SNAT --to ip_address

Is need add GATEWAY in /etc/sysconfig/network-script/interface (IP of host that provide access internet). After applying this, you'll see VPScontainer' web server at <code><nowiki>http://ip_address:8080/</nowiki></code>. {{Note|this rule will only work for external clients, i.e. connections originating from a different host — so you can not test if it works locally.}} {{Note|If you get any errors relating to: <code>iptables: No chain/target/match by that name</code>double check to see if you have all the iptables/netfilter modules loaded properly. I had to <code> modprobe xt_tcpudp </code> before getting it to work.}}  The <tt>iptables</tt> utility allows to set up more complex rules for Network Address Translation, involving various protocols and ports. If you wish to get more information on this, consult the numerous Internet sites (e.g. [http://www.netfilter.org netfilter.org]) and tutorials devoted to this issue.

The iptables utility allows to set up more complex rules for Network Address Translation, involving various protocols and ports. If you wish to get more information on this, consult the numerous Internet sites (e.g. == External Links ==* [http://www.netfilter.org www.netfilter.org]) and tutorials devoted to this issue.* [[w:Private network]]