[Users] iptables MASQUERADE and MARK
Kelvin Raywood
kray at triumf.ca
Mon Jul 5 18:55:25 EDT 2010
We're using OpenVZ to host firewalls for multiple VLANs and it's working
out really well in the cases where we write the iptables rules
ourselves. We add the network interface of each VLAN directly to a VPS
and use a bridge on the other side.
For some VLANs, we want to use iptables rules generated by some other
software. One of these use both ipt_MASQUERADE and ipt_MARK. It
seems as though MASQUERADE is now working in
ovzkernel-2.6.18-194.3.1.el5.028stab069.6 although vzctl-3.0.24-1
doesn't recognize it. However, ipt_MARK is not OpenVZ-ised so we have to
run a couple of separate stand-alone non-OpenVZ boxes for the VLANs that
use this software. Unfortunately, the software is not easily hackable
making one box per VLAN necessary.
I searched the OpenVZ bugzilla but couldn't find any entries for
ipt_MARK. Does anyone know if this module will be OpenVZ-ised in some
future kernel ?
If not, I'll add a feature request.
BTW, the message quoted below did not receive a response on the list but
I confirm that MASQUERADE is now virtualized but the tools don't yet
know. So you have to use some non-OpenVZ method to ensure that it gets
loaded. On CentOS-5, I drop short scripts in /etc/sysconfig/modules/ to
ensure that various modules are loaded.
Cheers,
--
Kelvin Raywood
Vancouver BC
On Fri Jun 4 Aleksandar Ivanisevic wrote:
> I've googled a bit and it seems that everyone claims that
> ipt_MASQUERADE isn't virtualized, and indeed if I add it to vz.conf
> under IPTABLES=, all tools are complaining that it is unknown
>
> BUT! ;)
>
> if I load the module manually in the HN (modprobe ipt_MASQUERADE),
> masquerading works as advertised in the container.
>
> So, is MASQUERADE virtualized or not? It seems to be, but I may be
> missing something.
>
> What is the proper way to load ipt_MASQUERADE in the container?
More information about the Users
mailing list