OpenVZ Forum


Home » General » Support » iptables with nat inside guest
iptables with nat inside guest [message #22437] Sun, 28 October 2007 21:42 Go to next message
tpso
Messages: 19
Registered: September 2006
Location: Denmark
Junior Member
Hi,

I trying to use iptables inside a guest, to do some port-forwarding.

The host has a lot of ip-tables running to separate access from the
different guests, so all iptables kernel modules should be loaded.

When I run : iptables -L
inside the guest it shows empty chain - which I expect.

When I try to run the following command:

/sbin/iptables -t nat -A PREROUTING -p tcp -i venet0 -d
192.168.217.200 --dport 25 -j DNAT --to 192.168.217.200:1025


it fails with an error :

iptables v1.2.11: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


Any hint's on what is wrong?

Host is running: vmlinuz-2.6.18-8.1.4.el5.028stab035
guest is a contos 5.

regards
Thomas
Re: iptables with nat inside guest [message #22461 is a reply to message #22437] Mon, 29 October 2007 14:44 Go to previous messageGo to next message
Valmont is currently offline  Valmont
Messages: 225
Registered: September 2005
Senior Member
man and search your best friends. Laziness - not.

# vzctl --help | grep iptables
[--iptables <name>] [--disabled <yes|no>]



From vzctl man page:


Iptables control parameters

--iptables name
Restrict access to iptables modules inside a VE (by default all iptables modules that are loaded in the host
system are accessible inside a VE).

You can use the following values for name: iptable_filter, iptable_mangle, ipt_limit, ipt_multiport, ipt_tos,
ipt_TOS, ipt_REJECT, ipt_TCPMSS, ipt_tcpmss, ipt_ttl, ipt_LOG, ipt_length, ip_conntrack, ip_conntrack_ftp,
ip_conntrack_irc, ipt_conntrack, ipt_state, ipt_helper, iptable_nat, ip_nat_ftp, ip_nat_irc, ipt_REDIRECT
xt_mac.



Please, be assured, that all necessary iptables modules are loaded before the start of vps

[Updated on: Mon, 29 October 2007 14:44]

Report message to a moderator

Re: iptables with nat inside guest [message #22553 is a reply to message #22461] Tue, 30 October 2007 19:05 Go to previous messageGo to next message
tpso
Messages: 19
Registered: September 2006
Location: Denmark
Junior Member
I have allready found the same quote in the man-pages.

It states that : by default all iptables modules that are loaded in the host system are accessible inside a VE.

As mentioned in my first post, I allready have iptables running on the host (inkluding NAT), why I assumes that all necessary kernel modules should be loaded.

I have tried to stop and restart the VPS so the iptables modules is loaded before VPS start.

So i'm still interessing in any hints.
Most post (and wiki documentation) is about iptables on the host handling VPS access - and I have it alle up and running.

But I cant run iptables inside the VPS.

Is there any non standard modules required ?


Regards Thomas
Re: iptables with nat inside guest [message #22596 is a reply to message #22553] Wed, 31 October 2007 11:18 Go to previous messageGo to next message
Valmont is currently offline  Valmont
Messages: 225
Registered: September 2005
Senior Member
# grep -i iptables /etc/vz/vz.conf
## IPv4 iptables kernel modules
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"

# lsmod | grep nat
iptable_nat            13188  1 
ip_nat                 22288  2 vzrst,iptable_nat
ip_conntrack           60356  7 vzrst,vzcpt,ip_conntrack_netbios_ns,xt_conntrack,xt_state,iptable_nat,ip_nat
nfnetlink              10648  2 ip_nat,ip_conntrack
ip_tables              18760  3 iptable_filter,iptable_mangle,iptable_nat
x_tables               19204  18 xt_length,ipt_ttl,xt_tcpmss,ipt_TCPMSS,xt_multiport,xt_limit,ipt_tos,ipt_recent,xt_conntrack,ipt_REJECT,ipt_LOG,xt_state,xt_MARK,iptable_nat,ip_tables,ip6t_REJECT,xt_tcpudp,ip6_tables
# vzctl start 115
...
# vzctl enter 115     
# iptables -t nat -nvL
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
^D
# vzctl set 115 --iptables "iptable_nat iptable_filter iptable_mangle ip_conntrack ipt_conntrack ipt_REDIRECT ipt_REJECT ipt_multiport ipt_helper ipt_LOG ipt_state" --save
Saved parameters for VE 115

# vzctl restart 115
...
# vzctl enter 115
# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 


[Updated on: Wed, 31 October 2007 11:19]

Report message to a moderator

Re: iptables with nat inside guest [message #22599 is a reply to message #22596] Wed, 31 October 2007 11:27 Go to previous messageGo to next message
Valmont is currently offline  Valmont
Messages: 225
Registered: September 2005
Senior Member
certanly, you can add iptable_nat into /etc/vz/vz.conf &&
service vz restart.

It should work too, but I didn't try it Smile
Re: iptables with nat inside guest [message #22686 is a reply to message #22599] Thu, 01 November 2007 14:18 Go to previous messageGo to next message
tpso
Messages: 19
Registered: September 2006
Location: Denmark
Junior Member
Valmont wrote on Wed, 31 October 2007 12:27

certanly, you can add iptable_nat into /etc/vz/vz.conf &&
service vz restart.

It should work too, but I didn't try it Smile



It Does !! - or actually I know it works if all the iptables parameters from you vzctl ... --iptables command is moved top vz.conf . The conntrack parameters was allso missing.

Thanks a lot. Maybe the docs should be change, so the paragraph stating that "by default all iptables modules that are loaded in the host system are accessible inside a VE" is changed to a reference to the vz.conf file.

That was the point that got me off the track.

I know I haven't modified my vz.conf, so i mistakensly believed i could reley on default settings.

Thanks again.

/Thomas
Re: iptables with nat inside guest [message #22687 is a reply to message #22686] Thu, 01 November 2007 14:25 Go to previous message
Valmont is currently offline  Valmont
Messages: 225
Registered: September 2005
Senior Member
You are welcome Smile

tpso wrote on Thu, 01 November 2007 17:18


Maybe the docs should be change, so the paragraph stating that "by default all iptables modules that are loaded in the host system are accessible inside a VE" is changed to a reference to the vz.conf file.
/Thomas




Yeah, in this point I will agree with you. After your post I was wondering about availability of all modules in docs.

Previous Topic: OpenVZ blanks out in CentOS 4.5
Next Topic: network issue
Goto Forum:
  


Current Time: Mon Dec 02 20:56:34 GMT 2024

Total time taken to generate the page: 0.11243 seconds