| *SOLVED* NAT doesn't seem to work [message #4996] |
Tue, 08 August 2006 00:55  |
duswil
Messages: 77
Registered: January 2006
|
Member |
|
|
I have followed the instructions at Using_NAT_for_VE_with_private_IPs.
My kernel does *not* have loadable modules enabled. Even with that enabled it doesn't seem to work.
I'm trying to have a set of VEs that have only an internal IP address (172.16.*.*) that can access remote services (apt-get, ping, etc). I don't want these VEs to have public IP addresses. Eventually they will be accessed through a proxy server in a VE that does have a public IP. It is important that these non-public VEs have access to Internet services.
The hn has Red Hat Enterprise Linux ES 4 with a custom compiled kernel. Attached is my .config file.
[root@hn ~]# uname -a
Linux hn.fakedomainname.com 2.6.8-022stab078-up #15 Tue Aug 8 00:13:33 UTC 2006 i686 athlon i386 GNU/Linux
[root@hn ~]# cat /etc/modules.conf
options ip_conntrack ip_conntrack_enable_ve0=1
The 27.16.122.72 IP is fake, I used my real HN IP address in its place:
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -o eth0 -j SNAT --to 27.16.122.72
"testvps" has a private IP address:
testvps:~# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1397 errors:0 dropped:0 overruns:0 frame:0
TX packets:1397 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:111809 (109.1 KiB) TX bytes:111809 (109.1 KiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:480 (480.0 b) TX bytes:2128 (2.0 KiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.4.1 P-t-P:172.16.4.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
Problem with pinging google.com from "testvps":
testvps:~# ping -w 10 google.com
PING google.com (64.233.167.99) 56(84) bytes of data.
--- google.com ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 9998ms
"dns" has a public IP (replaced with a fake one):
dns:~# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1462 errors:0 dropped:0 overruns:0 frame:0
TX packets:1462 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:116801 (114.0 KiB) TX bytes:116801 (114.0 KiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:57 errors:0 dropped:0 overruns:0 frame:0
TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12536 (12.2 KiB) TX bytes:7094 (6.9 KiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:27.16.122.128 P-t-P:27.16.122.128 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
venet0:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.1.1 P-t-P:172.16.1.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
No problem with pinging google.com from "dns":
dns:~# ping -w 2 google.com
PING google.com (64.233.187.99) 56(84) bytes of data.
64 bytes from 64.233.187.99: icmp_seq=1 ttl=239 time=37.9 ms
64 bytes from 64.233.187.99: icmp_seq=2 ttl=239 time=38.1 ms
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 37.993/38.049/38.106/0.203 ms
Let me know what else might help track this problem down. I just can't seem figure it out on my own.
Thanks!
Dusty
-
Attachment: dot.config
(Size: 37.69KB, Downloaded 480 times)
[Updated on: Thu, 10 August 2006 05:27] by Moderator Report message to a moderator |
|
|
|
|
|
|
|
| Re: NAT doesn't seem to work [message #4999 is a reply to message #4998] |
Tue, 08 August 2006 02:09  |
duswil
Messages: 77
Registered: January 2006
|
Member |
|
|
[root@hn net]# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
0
[root@hn net]# cat /proc/sys/net/ipv4/conf/venet0/proxy_arp
0
[root@hn net]# cat /proc/sys/net/ipv4/conf/all/proxy_arp
0
[root@hn net]# iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth0 172.16.0.0/16 0.0.0.0/0 to:27.16.122.72
[root@hn net]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.2.1 * 255.255.255.255 UH 0 0 0 venet0
172.16.4.1 * 255.255.255.255 UH 0 0 0 venet0
172.16.2.2 * 255.255.255.255 UH 0 0 0 venet0
27.16.122.129 * 255.255.255.255 UH 0 0 0 venet0
27.16.122.128 * 255.255.255.255 UH 0 0 0 venet0
27.16.122.131 * 255.255.255.255 UH 0 0 0 venet0
27.16.122.130 * 255.255.255.255 UH 0 0 0 venet0
172.16.1.1 * 255.255.255.255 UH 0 0 0 venet0
172.16.3.1 * 255.255.255.255 UH 0 0 0 venet0
172.16.3.3 * 255.255.255.255 UH 0 0 0 venet0
27.16.122.134 * 255.255.255.255 UH 0 0 0 venet0
27.16.122.0 * 255.255.255.192 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 27.16.122.1 0.0.0.0 UG 0 0 0 eth0
[root@hn ~]# cd /proc/sys/net/ipv4/conf
[root@hn conf]# for i in */*; do echo $i; cat $i; done
all/accept_redirects
0
all/accept_source_route
0
all/arp_announce
0
all/arp_filter
0
all/arp_ignore
0
all/bootp_relay
0
all/disable_policy
0
all/disable_xfrm
0
all/force_igmp_version
0
all/forwarding
1
all/log_martians
0
all/mc_forwarding
0
all/medium_id
0
all/proxy_arp
0
all/rp_filter
0
all/secure_redirects
1
all/send_redirects
0
all/shared_media
1
all/tag
0
default/accept_redirects
1
default/accept_source_route
0
default/arp_announce
0
default/arp_filter
0
default/arp_ignore
0
default/bootp_relay
0
default/disable_policy
0
default/disable_xfrm
0
default/force_igmp_version
0
default/forwarding
1
default/log_martians
0
default/mc_forwarding
0
default/medium_id
0
default/proxy_arp
0
default/rp_filter
1
default/secure_redirects
1
default/send_redirects
1
default/shared_media
1
default/tag
0
eth0/accept_redirects
1
eth0/accept_source_route
0
eth0/arp_announce
0
eth0/arp_filter
0
eth0/arp_ignore
0
eth0/bootp_relay
0
eth0/disable_policy
0
eth0/disable_xfrm
0
eth0/force_igmp_version
0
eth0/forwarding
1
eth0/log_martians
0
eth0/mc_forwarding
0
eth0/medium_id
0
eth0/proxy_arp
0
eth0/rp_filter
1
eth0/secure_redirects
1
eth0/send_redirects
1
eth0/shared_media
1
eth0/tag
0
lo/accept_redirects
1
lo/accept_source_route
0
lo/arp_announce
0
lo/arp_filter
0
lo/arp_ignore
0
lo/bootp_relay
0
lo/disable_policy
0
lo/disable_xfrm
0
lo/force_igmp_version
0
lo/forwarding
1
lo/log_martians
0
lo/mc_forwarding
0
lo/medium_id
0
lo/proxy_arp
0
lo/rp_filter
1
lo/secure_redirects
1
lo/send_redirects
1
lo/shared_media
1
lo/tag
0
venet0/accept_redirects
1
venet0/accept_source_route
0
venet0/arp_announce
0
venet0/arp_filter
0
venet0/arp_ignore
0
venet0/bootp_relay
0
venet0/disable_policy
0
venet0/disable_xfrm
0
venet0/force_igmp_version
0
venet0/forwarding
1
venet0/log_martians
0
venet0/mc_forwarding
0
venet0/medium_id
0
venet0/proxy_arp
0
venet0/rp_filter
1
venet0/secure_redirects
1
venet0/send_redirects
0
venet0/shared_media
1
venet0/tag
0
[root@hn ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0E:0C:83:4A:90
inet addr:27.16.122.72 Bcast:27.16.122.108 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:386 errors:0 dropped:0 overruns:0 frame:0
TX packets:387 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41379 (40.4 KiB) TX bytes:46938 (45.8 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:417 errors:0 dropped:0 overruns:0 frame:0
TX packets:417 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:36545 (35.6 KiB) TX bytes:36545 (35.6 KiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2029 (1.9 KiB) TX bytes:1901 (1.8 KiB)[Updated on: Tue, 08 August 2006 02:42] Report message to a moderator |
|
|
|
|
|
|
|
| Re: NAT doesn't seem to work [message #5004 is a reply to message #5002] |
Tue, 08 August 2006 06:51 |
duswil
Messages: 77
Registered: January 2006
|
Member |
|
|
testvps:~# ping -w 10 google.com
PING google.com (64.233.167.99) 56(84) bytes of data.
--- google.com ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9087ms
[root@hn ~]# lsmod
Module Size Used by
iptable_nat 26972 0
ip_conntrack 35720 1 iptable_nat
ipt_length 1728 0
ipt_ttl 1856 0
ipt_tcpmss 2112 0
ipt_TCPMSS 3904 0
iptable_mangle 4544 0
ipt_multiport 2048 0
ipt_limit 2176 0
ipt_tos 1600 0
ipt_REJECT 6016 0
iptable_filter 4288 1
ip_tables 20752 11 iptable_nat,ipt_length,ipt_ttl,ipt_tcpmss,ipt_TCPMSS,iptable_mangle,ipt_multiport,ipt_limit,ipt_tos,ipt_REJECT,iptable_filter
As before, I replaced my real IP with 27.16.122.72.
[root@hn ~]# iptables -nvL
Chain INPUT (policy ACCEPT 927 packets, 78071 bytes)
pkts bytes target prot opt in out source destination
927 78071 PORTSEN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 30 packets, 4722 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 839 packets, 95014 bytes)
pkts bytes target prot opt in out source destination
Chain PORTSEN (1 references)
pkts bytes target prot opt in out source destination
[root@hn ~]# iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth0 172.16.0.0/16 0.0.0.0/0 to:27.16.122.72 |
|
|
|
|
|
|
|
| Re: NAT doesn't seem to work [message #5030 is a reply to message #5009] |
Tue, 08 August 2006 23:58 |
duswil
Messages: 77
Registered: January 2006
|
Member |
|
|
That one worked. As long as you're using modules (which I don't want to), that does the trick. Your comment helped greatly. Thanks!
I got it to work without module support, but it required patching one line of the the OpenVZ patch.
You might want to consider making this flag (ip_conntrack_enable_ve0) an option to be set in the .config (via make menuconfig, make config, or whatever). If I knew how, I would help with that.
In the patch, I found the line that said:
+int ip_conntrack_enable_ve0 = 0;
and replaced it with:
+int ip_conntrack_enable_ve0 = 1;
which hardcodes that option into the kernel.
That part of the OpenVZ patch affects the "linux-2.6.8/net/ipv4/netfilter/ip_conntrack_standalone.c" file in the kernel source.
(removed patch, see http://bugzilla.openvz.org/show_bug.cgi?id=218 instead)
Thanks!
[Updated on: Wed, 09 August 2006 00:47] Report message to a moderator |
|
|
|
|
|
| Re: NAT doesn't seem to work [message #5032 is a reply to message #5031] |
Wed, 09 August 2006 06:00 |
Vasily Tarasov
Messages: 1345
Registered: January 2006
|
Senior Member |
|
|
Well... if you've compiled this module in you can pass parameter to it using kernel parameters. For example, using GRUB config:
kernel /vmlinuz root=/dev/sda2 ip_conntrack_enable_ve0=1
Please, if possible, try this method and if it doesn't work report about it in bugzilla (bug #218).
Thank you very much!
vass
FIXED =0 -> =1. Badly missprint.
[Updated on: Wed, 09 August 2006 06:55] Report message to a moderator |
|
|
|
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
