OpenVZ Forum: Support » (NAT Internet for containers) in a container

Home » General » Support » (NAT Internet for containers) in a container

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

(NAT Internet for containers) in a container [message #39034]

Fri, 05 March 2010 05:39

alevchuk
Messages: 22
Registered: February 2007
Location: University of California,...

Junior Member

Dear OpenVZ support,

How can I setting-up a container that provides the service of a NAT Internet access for other containers?

Specifically:

I have Container N, Container C1, Container C2.

1. N is talking to the Internet through anything (veth, venet, a "moved" --netdev_add device).

2. N, C1, and C2 all have a venet0:0 IP which they all use to talk to each other.

3. N has ip_forwading enabled

4. N is running something like:

iptables -A POSTROUTING -s 192.168.16.0/24 -o vzbr0 -j SNAT --to-source PUBLIC_IP

5. C1 and C2 have N as their default gateway.

Problem:

I attempted this setup 2 times in two completely different places, and tested. Each of the 5 above steps work individually.

The packets of C1 and C2 going to Internet never reach N.

My Best Explanation:

I read (don't remember where) that OpenVZ drops all traffic on the Venet if the packet's destination does not match any of the IPs on the private network.

Thank you for reading.

Sincerely,
Alex

Report message to a moderator

Re: (NAT Internet for containers) in a container [message #39040 is a reply to message #39034]

Fri, 05 March 2010 11:37

TheStig
Messages: 94
Registered: December 2008

Member

i haven't tried anything like that, but i guess you will have to bind a NIC to N or at least use veth instead of venet in order to make a VPS route traffic.

Why don't you use the HN for NAT?

Report message to a moderator

Re: (NAT Internet for containers) in a container [message #39042 is a reply to message #39040]

Fri, 05 March 2010 21:55

alevchuk
Messages: 22
Registered: February 2007
Location: University of California,...

Junior Member

Dear Stig,

Thank you for your feedback.

My N is already using a binded NIC to access the Internet, but that does not help. And it would really suck if I have to switch all containers to veth.

My reasoning for moving the NAT service away from using the Hardware Node (HN) is two fold:
1. The sysadmin work becomes much cleaner when I separate the various services into dedicated containers.
2. I want to move away from having Internet on the HN. I'm running a local approx container, so Internet access is not needed to do the OS updates on the HN.

Alex

Report message to a moderator

Re: (NAT Internet for containers) in a container [message #39515 is a reply to message #39034]

Tue, 04 May 2010 16:28

SeaX
Messages: 1
Registered: May 2010

Junior Member

Hi,

I'm looking to setup exactly the same thing. Have you solved it ? And could you tell me how please Wink

?

I'm quite new using openvz, and looking for this solution for my school project.

Thanks in advance Smile

Report message to a moderator

Re: (NAT Internet for containers) in a container [message #39539 is a reply to message #39034]

Fri, 07 May 2010 13:54

maratrus
Messages: 1495
Registered: August 2007
Location: Moscow

Senior Member

Hello,

I suppose tcpdump would be helpful in your case.

Suppose a C1 is pinging some host in the Internet.
Are you sure that a packet that is going out of C1
reaches HN? Where does it go afterwards? Make sure
that it goes inside N! There has to be an appropriate
routing record on the HN.

Then make sure that this packet passing N's
iptables rules and leaving the HN. Look whether
reply is reaching HN and going to N.

Report message to a moderator

Previous Topic:	Intel e1000e driver for 2.6.18-ovz
Next Topic:	ecryptfs inside container - supported?

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Mon Jul 15 12:54:27 GMT 2024

Total time taken to generate the page: 0.03201 seconds