Changes

Jump to: navigation, search

Using NAT for container with private IPs

837 bytes added, 09:52, 17 August 2016
no edit summary
Make sure that below prerequisites are met, otherwise it won't work for you!
 
=== IP conntracks ===
 
'''IP connection tracking should be enabled for CT0'''. For recent OpenVZ kernels (2.6.9 and later) connection tracking for CT0 is enabled by default, but it can be disabled by vzctl 4.7 and newer (because it has a negative impact on venet performance, see {{Bug|2755}}). So, make sure there is '''NO''' line like
 
options ip_conntrack ip_conntrack_disable_ve0=1
or
options nf_conntrack ip_conntrack_disable_ve0=1
 
in <code>/etc/modules.conf</code>, <code>/etc/modprobe.conf</code>, or any file under <code>/etc/modprobe.d/</code> (such as <code>/etc/modprobe.d/vz.conf</code>). '''If there is such a line, please'''
#change <code>=1</code> to <code>=0</code>
#reboot the node.
=== IP forwarding ===
[https://bugs.launchpad.net/ubuntu/+source/procps/+bug/84537 Launchpad]
The syntax of /etc/sysctl.conf has changed to :
<pre>net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1</pre>
=== IP conntracks Enable iptables in OpenVZ 7/Virtuozzo 7=== If you use OpenVZ 7/Virtuozzo 7 and want to manage iptables through iptables-services you must disable firewalld and enable iptables:  # systemctl stop firewalld # systemctl mask firewalld # yum install iptables-services # systemctl enable iptables  ==How to create the container and attach network properties to it =='''Create the container:  # prlctl create 100700 --vmtype ct Attach the internal IP connection tracking should be enabled for CT0address and DNS server:  # prlctl set 100700 --ipadd 192.168.0.101/24 # prlctl set 100700 --nameserver 8.8.8.'''8
For recent OpenVZ kernels (2.6.9 and later) connection tracking for CT0 is enabled by default, but it can be disabled by vzctl (because it has a negative impact on venet performance). So, make sure there is '''no''' line likeStart the container:
options ip_conntrack ip_conntrack_disable_ve0=1or options nf_conntrack ip_conntrack_disable_ve0=1# prlctl start 100700
in <code>/etc/modules.conf</code>, <code>/etc/modprobe.conf</code>, or any file under <code>/etc/modprobe.d/</code>. '''If there is such a line, please change <code>=1</code> = How to <code>provide access for container to the Internet ==0</code>''' and reboot.
== How To enable the [[container]]s, which have only internal IP addresses, to provide access for container to the Internet ==, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility.
To enable the [[container]]s, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility. To perform a simple SNAT setup, execute the following command on the [[Hardware Node]]:
<pre>
# iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address
</pre>
 
Or you can just use:
 
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
=== Save new iptables rules ===
 
Do not forget to save your new iptables rules
 
# service iptables save
# service iptables restart
=== Firewall ===
# iptables -A RH-Firewall-1-INPUT -s 192.168.2.0/24 -j ACCEPT
# iptables-save > /etc/sysconfig/iptables
# service iptables restart
 
 
=== Nameserver ===
 
Make sure in-CT nameserver is set. The easiest way to do it is:
 
# vzctl set $CTID --nameserver inherit
=== Test ===
Now you should be able to reach internet from your container:
# vzctl exec $CTID prlctl enter 100700 # ping openvz.org
== How to provide access from Internet to a container ==
# iptables -t nat -A POSTROUTING -s ve_address -o eth0 -j SNAT --to ip_address
</pre>
 
Is need add GATEWAY in /etc/sysconfig/network-script/interface (IP of host that provide access internet).
After applying this, you'll see container' web server at <code><nowiki>http://ip_address:8080/</nowiki></code>.
Anonymous user
Retrieved from "https://wiki.openvz.org/Special:MobileDiff/14908...20923"

Navigation menu