OpenVZ Forum


Home » General » Support » *SOLVED* iptables: DNAT with --dport option inside ve
*SOLVED* iptables: DNAT with --dport option inside ve [message #6089] Fri, 08 September 2006 00:22 Go to next message
rudiross is currently offline  rudiross
Messages: 3
Registered: September 2006
Junior Member
Hi all!

I am trying to forward some ports from inside a VE to another host.

The following works:
root@srv03:~# iptables -t nat -A PREROUTING -p tcp -i venet0 -j DNAT --to 10.4.0.2

The following does not:
root@srv03:~# iptables -t nat -A PREROUTING -p tcp --dport 80 -i venet0 -j DNAT --to 10.4.0.2:80

Error message:
iptables: No chain/target/match by that name

Following modules are loaded via <vpsid>.conf:

IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length iptable_nat ip_conntrack ip_conntrack_ftp ipt_conntrack ipt_helper ipt_state"

Can anyone tell me whether it is possible to perform DNAT with selected ports from inside a VE?

TIA

Rudi

[Updated on: Fri, 08 September 2006 08:38] by Moderator

Report message to a moderator

Re: iptables: DNAT with --dport option inside ve [message #6094 is a reply to message #6089] Fri, 08 September 2006 07:14 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
Hello,

For me both these commands work fine...
What kernel version do you use?

One more trick. Try to do the following:

1) do the command you need (... --dport ...) on HN
2) remove this rule on HN
3) enter VE and do the same command in VE

HTH,
vass.

Report message to a moderator

Re: iptables: DNAT with --dport option inside ve [message #6101 is a reply to message #6094] Fri, 08 September 2006 08:18 Go to previous messageGo to next message
rudiross is currently offline  rudiross
Messages: 3
Registered: September 2006
Junior Member
Hi Vass,

your trick made it work. Thank you very much. After loading the rule on the HW node and removing it again, it worked inside the VE (with both tcp and udp).

After rebooting the HW node, it stopped working again, so for now I add and remove one rule with the --dport option in it via startup script.

Does anybody have an explanation why this is necessary?

BTW, I am running 2.6.16-026test017 with iptables v1.3.3.

Regards,

Rudi

Report message to a moderator

Re: iptables: DNAT with --dport option inside ve [message #6102 is a reply to message #6101] Fri, 08 September 2006 08:37 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
Quote:

Does anybody have an explanation why this is necessary?


Explanation is very easy Smile
To add rule in VE - appropriate modules should be loaded on HN.
If you give the same iptables command on HW - needed modules are loaded. =)

So, actually you can just manually load needed modules on HW, and
that's all.

Good luck!

Report message to a moderator

Required module for DNAT with --dport option inside ve [message #6145 is a reply to message #6089] Sat, 09 September 2006 15:03 Go to previous message
rudiross is currently offline  rudiross
Messages: 3
Registered: September 2006
Junior Member
Just as a sidenote:

The required module seems to be xt_tcpudp.

Report message to a moderator

Previous Topic: Strange problem installing mail server Postfix.
Next Topic: modprobe ipv6
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Fri Aug 23 19:22:29 GMT 2024

Total time taken to generate the page: 0.03787 seconds
Powered by FUDforum Powered by Virtuozzo Containers