2,253
edits
Changes
m
Robot: Automated text replacement (-VE +container)
=== IP forwarding ===
IP forwarding should be turned on on hardware node in order for VE container networking to work. Make sure it is turned on:
$ cat /proc/sys/net/ipv4/ip_forward
in /etc/modules.conf or /etc/modprobe.conf. If there is such line, comment it out (or remove) and reboot.
== How to provide access for VE container to Internet ==
To enable the [[VEcontainer]]s, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on the [[Hardware Node]]. This is ensured by the standard Linux <tt>iptables</tt> utility. To perform a simple SNAT setup, execute the following command on the [[Hardware Node]]:
<pre>
# iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address
where <tt>src_net</tt> is a range of IP addresses of containers to be translated by SNAT, and <tt>ip_address</tt> is the external IP address of your [[Hardware Node]]. Multiple rules are allowed, for example, in case you wish to specify several ranges of IP addresses. If you are using a number of physical network interfaces on the [[Hardware Node|Node]], you may need to specify a different interface for outgoing connections, e.g. <tt>-o eth2</tt>.
To make all IP addresses to be translated by SNAT (not only the ones of [[VEcontainer]]s with private addresses), you should type the following string:
<pre>
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address
{{Note|in kernels later than 2.6.8, connection tracking is enabled by default}}
== How to provide access from Internet to a VE container ==
In addition, to make some services in VE container with private IP address be accessible from the Internet, DNAT (Destination Network Address Translation) should be configured on the [[Hardware Node]]. To perform a simple DNAT setup, execute the following command on the [[Hardware Node]]:
<pre>
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport port_num \
</pre>
where <tt>ve_address</tt> is an IP address of the VEcontainer, <tt>dst_port_num</tt> is a tcp port which requires service use, <tt>ip_address</tt> is the external (public) IP address of your [[Hardware Node]], and <tt>port_num</tt> is a tcp port of [[Hardware Node]], which will be used for Internet connections to private VE container service. Note that this setup makes the service which is using <tt>port_num</tt> on the [[Hardware Node]] be unaccessible from the Internet. Also note that SNAT translation is required too.
For example, if you need a web server in a VE container to be accessible from outside and, at the same time, keep a web server on the [[Hardware Node]] be accessible, use the following config:
<pre>
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport 8080 \
</pre>
After applying this, you'll see VEcontainer' web server at <code><nowiki>http://ip_address:8080/</nowiki></code>.
{{Note|this rule will only work for external clients, i.e. connections originating from a different host — so you can not test if it works locally.}}
