OpenVZ Forum


Home » General » Discussions » Networking with OpenVz on Debian (My CT do not have internet access)
Networking with OpenVz on Debian [message #36691] Thu, 09 July 2009 23:22 Go to next message
ceduardo is currently offline  ceduardo
Messages: 5
Registered: July 2009
Junior Member
From: 190.145.2*
Hi every body, Tank you for your help (I am sorry but my english is very bad.)

Well, I have OpenVz mount at Debian lenny this work very good but now I made a change in my Internet configuration and my CT do not have internet access.

I have this on my OpenVzSERVER:
eth0      Link encap:Ethernet  HWaddr 00:0b:6a:94:54:88
          inet addr:192.168.2.15  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20b:6aff:fe94:5488/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2214523 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2034759 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1189111524 (1.1 GiB)  TX bytes:998419042 (952.1 MiB)
          Interrupt:19 Base address:0xd400

eth1      Link encap:Ethernet  HWaddr 00:21:91:90:8e:7d
          inet addr:192.168.150.2  Bcast:192.168.150.7  Mask:255.255.255.248
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:17 Base address:0xd000

eth2      Link encap:Ethernet  HWaddr 00:08:54:27:1d:b8
          inet addr:190.145.2.YYY  Bcast:190.145.2.239  Mask:255.255.255.248
          inet6 addr: fe80::208:54ff:fe27:1db8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5053 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34116 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1046571 (1022.0 KiB)  TX bytes:9614680 (9.1 MiB)
          Interrupt:18 Base address:0xcc00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:42897 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42897 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4394719 (4.1 MiB)  TX bytes:4394719 (4.1 MiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:43510 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38310 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12827547 (12.2 MiB)  TX bytes:7445673 (7.1 MiB)

veth70.0  Link encap:Ethernet  HWaddr 00:18:51:39:c7:e7
          inet6 addr: fe80::218:51ff:fe39:c7e7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1750 (1.7 KiB)  TX bytes:1312 (1.2 KiB)


I have on my CT Id 70 :
eth0      Link encap:Ethernet  HWaddr 00:18:51:84:DE:57
          inet addr:192.168.2.70  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::218:51ff:fe84:de57/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1008 (1008.0 b)  TX bytes:1448 (1.4 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1077 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1077 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:83161 (81.2 KiB)  TX bytes:83161 (81.2 KiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:70 errors:0 dropped:0 overruns:0 frame:0
          TX packets:687 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:37730 (36.8 KiB)  TX bytes:316514 (309.0 KiB)


Id do this on my CT for network configuration:
[On OpenVzSERVER]
vzctl set 70 --ipdel 192.168.2.70
vzctl set 70 --netif_add eth0 --save

ifconfig -a

ifconfig veth70.0 0
echo 1 > /proc/sys/net/ipv4/conf/veth70.0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/veth70.0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

[On CT 70]
ifconfig eth0 0
ip addr add 192.168.2.70 dev eth0
ifconfig eth0 192.168.2.70 netmask 255.255.255.0 up
ip route del default
ip route add default dev eth0


[On OpenVzSERVER]
ip route add 192.168.2.70 dev veth70.0


The CT can do ping to the network 192.168.2.0 but do not have internet access

Note: On my OpenVz SERVER do this iptables´s script :
#!/bin/sh
## SCRIPT de IPTABLES - ejemplo del manual de iptables
## Ejemplo de script para firewall entre red-local e internet
##
## Pello Xabier Altadill Izura
## www.pello.info - pello@pello.info

echo -n Aplicando Reglas de Firewall...

## FLUSH de reglas
iptables -F
iptables -X
iptables -Z
iptables -t nat -F

## Establecemos politica por defecto
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT



## Empezamos a filtrar
## Nota: eth0 es el interfaz conectado al router y eth1 a la LAN
# El localhost se deja (por ejemplo conexiones locales a mysql)

/sbin/iptables -A INPUT -i lo -j ACCEPT



# Al firewall tenemos acceso desde la red local
iptables -A INPUT -s 192.168.2.0/24 -i eth0 -j ACCEPT



# Ahora hacemos enmascaramiento de la red local
# y activamos el BIT DE FORWARDING (imprescindible!!!!!)

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth2 -j MASQUERADE



# Con esto permitimos hacer forward de paquetes en el firewall, o sea
# que otras máinas puedan salir a traves del firewall.

echo 1 > /proc/sys/net/ipv4/ip_forward
echo " OK . Verifique que lo que se aplica con: iptables -L -n"


Thanks again.


Re: Networking with OpenVz on Debian [message #36699 is a reply to message #36691] Fri, 10 July 2009 15:18 Go to previous messageGo to next message
irontowngeek is currently offline  irontowngeek
Messages: 20
Registered: January 2009
Junior Member
From: 66.213.4*
In using VETH adapters non bridged you must make the VETH adapter for a container its gateway and each container must be subnetted
For simplicity I use nothing but static configurations
As an example

In VE

DEVICE eth0
TYPE Ethernet
IPADDR 192 168 254 1
PREFIXLEN 30
GATEWAY 192 168 254 2
MTU 1500
ONBOOT yes

You can still leave the

ip route add default dev eth0

as this is mainly a fall back

If you type

ip route list

in the VE you will find the VETH adapter is listed as the default gateway device
Using my example the VETH adapter becomes

DEVICE veth254 0
TYPE Ethernet
IPADDR 192 168 254 2
PREFIXLEN 30
MTU 1500
ONBOOT yes


If routing is proper on the your networks gateway router then you should have no problems reaching the global Net
In other words has the VE containers subnet in its table
Remember that routing on the HN is handled via the kernel at the interface level
I use a 16 prefix on a gateway router if I do not use a routing protocol
My Node servers curently run OSPF so routing is dynamic
I use a 30 prefix length as this is more than enough in using non bridged VETH interfaces
I hope you can read this okay as my keyboard is flaking out on one side
Reading your explaination of your problem I do not think you need any help beyond this explaination
Re: Networking with OpenVz on Debian [message #36701 is a reply to message #36699] Fri, 10 July 2009 18:47 Go to previous messageGo to next message
vijay_361 is currently offline  vijay_361
Messages: 7
Registered: May 2009
Location: india
Junior Member
From: 218.248.69*
Can you please post the /etc/sysconfig/network-scripts/ifcfg-eth0
for both container and physical machine

also output for iptables -L


vijayan
Re: Networking with OpenVz on Debian [message #36702 is a reply to message #36701] Fri, 10 July 2009 19:41 Go to previous messageGo to next message
ceduardo is currently offline  ceduardo
Messages: 5
Registered: July 2009
Junior Member
From: 190.145.2*
Hi everybody tanks for your help
On my CT id 70 i have this:
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.2.70
NETMASK=255.255.255.0
BROADCAST=0.0.0.0


iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.0.2.0       0.0.0.0         255.255.255.0   U         0 0          0 venet0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 venet0
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 eth0


Well, on my OpenVZ Server i have this:
iptable -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  192.168.2.0/24       anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.75.ZZZ     192.168.150.1   255.255.255.255 UGH       0 0          0 eth1
192.168.2.72    0.0.0.0         255.255.255.255 UH        0 0          0 venet0
192.168.2.70    0.0.0.0         255.255.255.255 UH        0 0          0 veth70.0
190.145.2.WWW   0.0.0.0         255.255.255.255 UH        0 0          0 veth72.2
192.168.150.3   0.0.0.0         255.255.255.255 UH        0 0          0 venet0
192.168.150.0   0.0.0.0         255.255.255.248 U         0 0          0 eth1
190.145.2.XXX   0.0.0.0         255.255.255.248 U         0 0          0 eth2
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         190.145.2.YYY   0.0.0.0         UG        0 0          0 eth2


Thanks for you help.



Re: Networking with OpenVz on Debian [message #36719 is a reply to message #36691] Mon, 13 July 2009 14:40 Go to previous messageGo to next message
ceduardo is currently offline  ceduardo
Messages: 5
Registered: July 2009
Junior Member
From: 190.145.2*
Hi thansk for you answer,

I have this line for the redirection from internal LAN to eth2
# Al firewall tenemos acceso desde la red local
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth2 -j MASQUERADE


But this line have a problem, because my internal LAN is 192.168.2.0/24 and not 192.168.0.0/24

I can solve this problem making this change on the same line. Where be 192.168.0.0/24 change to 192.168.2.0/24
# Al firewall tenemos acceso desde la red local
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth2 -j MASQUERADE

Thanks every body!!!
Re: Networking with OpenVz on Debian [message #36720 is a reply to message #36702] Mon, 13 July 2009 15:00 Go to previous messageGo to next message
irontowngeek is currently offline  irontowngeek
Messages: 20
Registered: January 2009
Junior Member
From: 66.213.4*
If you are networking a DEBIAN container,the network configuration file,differs from that of REDHAT.
Also,all VE container ID numbers,should start with 100,as 0-99 is reserved by OpenVZ.
Let's go back to square one.

If you are running a REDHAT distribution on the Node server,(i.e
Centos 5,as the default Node server OS),your VETH device configuration as an example,using a VE ID of 100.
The "/etc/sysconfig/network-scripts/ifcfg-veth100.0" file is;

DEVICE=veth100.0
TYPE=Ethernet
IPADDR=192.168.100.2
NETMASK=255.255.255.0
MTU=1500
ONBOOT=yes

I went ahead and used the standard "/24" prefix length,or "255.255.255.0".
Make sure,routing is proper on the Node,that you can reach the LAN gateway router.
If using Centos-5 on the Node,place this directive in;

/etc/sysconfig/network

GATEWAY=your_edge_router
GATEWAYDEV=your_source_route_interface

An example is;

GATEWAY=192.168.99.1
GATEWAYDEV=eth1

It is much simpler,than using "iproute2".
If you use a REDHAT based VE container,its network configuration is;

DEVICE=eth0
TYPE=Ethernet
IPADDR=192.168.100.1
NETMASK=255.255.255.0
GATEWAY=192.168.100.2
MTU=1500
ONBOOT=yes

If you are using DEBIAN as the OpenVZ Node server's OS,this goes beyond the default supported OS,and the location and syntax of the configuration,differs from REDHAT.
Its located in;

/etc/network/interfaces

Nevertheless,the VETH interface configuration should be;

iface veth100.0 inet static
address 192.168.100.2
netmask 255.255.255.0
broadcast 192.168.100.255


Using a DEBIAN VE,your network configuration is;

iface eth0 inet static
address 192.168.100.1
netmask 255.255.255.0
broadcast 192.168.100.255
gateway 192.168.100.2
dns-mydomain
dns-nameservers 192.168.11.1

as a minimum.

Regardless of whether you use a REDHAT or DEBIAN based VE,you have to define a "gateway" route,that points to the VE container's VETH adapter interface,if you are not using bridged Ethernet.
As long as you can do a;

ip route list

and you see a line,that defines the VETH adapter's IP address,as
the default route for the VE,then you are good to go.
As I stated earlier,routing on a Node server is a moot issue,as it will always have its routing table updated,via any interface that is added.
Just make sure,the edge router,has the VE container's subnet,in its routing table. (this is the router that faces the Internet.
Generally,all you need is,if using a Class C subnet;

ip route add 192.0.0.0/16 via 192.168.99.1

(replace 192.168.99.1 with your LAN gateway IP)

As far as IPTABLES syntax,I use the SHOREWALL firewall program on my Node server,that eliminates knowing specific IPTABLES syntax.
Remember,you need to NAT the private IP address,you use for the VE container.(this of course,is self-explainatary)
Maybe,somebody that my be reading this thread,can fill in that blank for you,using IPTABLES manually.

Cheers and good luck.
Re: Networking with OpenVz on Debian [message #36721 is a reply to message #36691] Mon, 13 July 2009 15:08 Go to previous messageGo to next message
irontowngeek is currently offline  irontowngeek
Messages: 20
Registered: January 2009
Junior Member
From: 66.213.4*
PS;

I was looking in your;

netstat -nr

you are using a netmask of

255.255.255.255

for your VETH adapters.
This makes it a "point to point" connection.
Use a different prefix length,unless you are trying to create a VPN type setup.
Re: Networking with OpenVz on Debian [message #36722 is a reply to message #36691] Mon, 13 July 2009 15:27 Go to previous message
irontowngeek is currently offline  irontowngeek
Messages: 20
Registered: January 2009
Junior Member
From: 66.213.4*
I'm going to repost this reply,as I'm not sure that it took.

First,let's go back to square one.
I'm assuming you use a REDHAT OS on the Node,and you want to network a DEBIAN VE.

* Issue number 1.

No IP address for VETH interface.

veth70.0 Link encap:Ethernet HWaddr 00:18:51:39:c7:e7
inet6 addr: fe80::218:51ff:fe39:c7e7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1750 (1.7 KiB) TX bytes:1312 (1.2 KiB)

If you are not bridging a VETH adapter interface,you must assign an IP address to the VETH adapter.

* Issue number 2

VE containers ID numbers must start at 100. Whether this makes a difference,I have not tested.

Assuming what I have wrote;

On the Node server for REDHAT based distributions;

DEVICE=veth100.0
TYPE=Ethernet
IPADDR=192.168.100.2
NETMASK=255.255.255.0
ONBOOT=yes

On the VE container,for REDHAT based distributions;

DEVICE=eth0
TYPE=Ethernet
IPADDR=192.168.100.1
NETMASK=255.255.255.0
GATEWAY=192.168.100.2
ONBOOT=yes


If you are using DEBIAN,as the Node server OS;


iface veth100.0 inet static
address 192.168.100.2
netmask 255.255.255.0
broadcast 192.168.100.255
gateway 192.168.11.1


If you are using DEBIAN,as the VE container;


iface eth0 inet static
address 192.168.100.1
netmask 255.255.255.0
broadcast 192.168.100.255
gateway 192.168.100.2
dns-nameserver x.x.x.x

As far as specific IPTABLES syntax,I use SHOREWALL firewall,as it
uses configuration files that you can edit.

Previous Topic: Any Idea why I cant post a question in Support?
Next Topic: VirtualComplete - new openvz panel
Goto Forum:
  


Current Time: Sun Sep 22 16:09:10 GMT 2019