(NAT Internet for containers) in a container [message #39034] |
Fri, 05 March 2010 05:39 ![Go to next message Go to next message](/theme/ovz3/images/down.png) |
alevchuk
Messages: 22 Registered: February 2007 Location: University of California,...
|
Junior Member |
|
|
Dear OpenVZ support,
How can I setting-up a container that provides the service of a NAT Internet access for other containers?
Specifically:
I have Container N, Container C1, Container C2.
1. N is talking to the Internet through anything (veth, venet, a "moved" --netdev_add device).
2. N, C1, and C2 all have a venet0:0 IP which they all use to talk to each other.
3. N has ip_forwading enabled
4. N is running something like:
iptables -A POSTROUTING -s 192.168.16.0/24 -o vzbr0 -j SNAT --to-source PUBLIC_IP
5. C1 and C2 have N as their default gateway.
Problem:
I attempted this setup 2 times in two completely different places, and tested. Each of the 5 above steps work individually.
The packets of C1 and C2 going to Internet never reach N.
My Best Explanation:
I read (don't remember where) that OpenVZ drops all traffic on the Venet if the packet's destination does not match any of the IPs on the private network.
Thank you for reading.
Sincerely,
Alex
|
|
|
|
|
|
Re: (NAT Internet for containers) in a container [message #39539 is a reply to message #39034] |
Fri, 07 May 2010 13:54 ![Go to previous message Go to previous message](/theme/ovz3/images/up.png) |
maratrus
Messages: 1495 Registered: August 2007 Location: Moscow
|
Senior Member |
|
|
Hello,
I suppose tcpdump would be helpful in your case.
Suppose a C1 is pinging some host in the Internet.
Are you sure that a packet that is going out of C1
reaches HN? Where does it go afterwards? Make sure
that it goes inside N! There has to be an appropriate
routing record on the HN.
Then make sure that this packet passing N's
iptables rules and leaving the HN. Look whether
reply is reaching HN and going to N.
|
|
|