OpenVZ Forum: Support » Nat inside VE

Home » General » Support » Nat inside VE - openvpn again

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Nat inside VE - openvpn again [message #32095]

Mon, 21 July 2008 08:37

mperkel
Messages: 253
Registered: December 2006

Senior Member

Getting this inside the VE:

iptables -L -t nat
iptables v1.4.1.1: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

On the HN it works:

iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Conf file has:

IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter
iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

It's 1:30 in the morning and I'm brain dead. What am I doing wrong.

Thanks in advance.

Junk Email Filter
http://www.junkemailfilter.com

Report message to a moderator

Re: Nat inside VE - openvpn again [message #32099 is a reply to message #32095]

Mon, 21 July 2008 09:46

mperkel
Messages: 253
Registered: December 2006

Senior Member

If I run this at the command line it works after restarting the vz service:

modprobe ip_nat
modprobe xt_tcpudp
modprobe ip_conntrack ip_conntrack_enable_ve0=1

How do I get these modules to load on startup?

Junk Email Filter
http://www.junkemailfilter.com

Report message to a moderator

Re: Nat inside VE - openvpn again [message #32101 is a reply to message #32099]

Mon, 21 July 2008 11:22

kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia

Senior Member

You're right -- these modules need to be loaded before vz service start.

Some are supposed to be loaded by /etc/init.d/vz itself -- see it and IPTABLES variable defined in /etc/vz/vz.conf.

Some are supposed to be loaded by /etc/init.d/iptables script -- see it and IPTABLES_MODULES variable defined in /etc/sysconfig/iptables-config

I suggest you to add ip_nat to IPTABLES in /etc/vz/vz.conf

Kir Kolyshkin

http://static.openvz.org/userbars/openvz-developer.png

Report message to a moderator

Re: Nat inside VE - openvpn again [message #32102 is a reply to message #32099]

Mon, 21 July 2008 11:25

kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia

Senior Member

In addition,
> modprobe ip_conntrack ip_conntrack_enable_ve0=1
is only needed if you want NAT to work in VE0. NAT in VEs will work regardless of this setting.

Kir Kolyshkin

Report message to a moderator

Re: Nat inside VE - openvpn again [message #32114 is a reply to message #32095]

Mon, 21 July 2008 17:09

mperkel
Messages: 253
Registered: December 2006

Senior Member

ok - is there a file somewhere where I can just force the loading of modules on boot? Do I do it in modprobe.conf?

Junk Email Filter
http://www.junkemailfilter.com

Report message to a moderator

Re: Nat inside VE - openvpn again [message #32116 is a reply to message #32095]

Mon, 21 July 2008 17:48

mperkel
Messages: 253
Registered: December 2006

Senior Member

What I'm thinking is - there should be a text file called "nat" that I can put into the /etc/modprobe.d directory to load the necessary modules. What would that file have in it?

Junk Email Filter
http://www.junkemailfilter.com

Report message to a moderator

Re: Nat inside VE - openvpn again [message #32120 is a reply to message #32116]

Tue, 22 July 2008 07:04

kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia

Senior Member

/etc/modprobe.d/smth will not autoload modules for you AFAIK. See man modprobe.conf for description of what you can put there. It is basically for passing options to modules, blacklisting modules, or having your own code executed instead of loading the module.

Kir Kolyshkin

Report message to a moderator