[Users] iptables MASQUERADE and MARK
Kir Kolyshkin
kir at openvz.org
Tue Jul 6 10:54:13 EDT 2010
On 07/06/2010 02:55 AM, Kelvin Raywood wrote:
> We're using OpenVZ to host firewalls for multiple VLANs and it's working
> out really well in the cases where we write the iptables rules
> ourselves. We add the network interface of each VLAN directly to a VPS
> and use a bridge on the other side.
>
> For some VLANs, we want to use iptables rules generated by some other
> software. One of these use both ipt_MASQUERADE and ipt_MARK. It
> seems as though MASQUERADE is now working in
> ovzkernel-2.6.18-194.3.1.el5.028stab069.6 although vzctl-3.0.24-1
> doesn't recognize it. However, ipt_MARK is not OpenVZ-ised so we have to
> run a couple of separate stand-alone non-OpenVZ boxes for the VLANs that
> use this software. Unfortunately, the software is not easily hackable
> making one box per VLAN necessary.
>
> I searched the OpenVZ bugzilla but couldn't find any entries for
> ipt_MARK. Does anyone know if this module will be OpenVZ-ised in some
> future kernel ?
>
> If not, I'll add a feature request.
>
Please do, to http://bugzilla.openvz.org/.
> BTW, the message quoted below did not receive a response on the list but
> I confirm that MASQUERADE is now virtualized but the tools don't yet
> know. So you have to use some non-OpenVZ method to ensure that it gets
> loaded. On CentOS-5, I drop short scripts in /etc/sysconfig/modules/ to
> ensure that various modules are loaded.
>
> Cheers,
>
> --
> Kelvin Raywood
> Vancouver BC
>
> On Fri Jun 4 Aleksandar Ivanisevic wrote:
>
>> I've googled a bit and it seems that everyone claims that
>> ipt_MASQUERADE isn't virtualized, and indeed if I add it to vz.conf
>> under IPTABLES=, all tools are complaining that it is unknown
>>
>> BUT! ;)
>>
>> if I load the module manually in the HN (modprobe ipt_MASQUERADE),
>> masquerading works as advertised in the container.
>>
>> So, is MASQUERADE virtualized or not? It seems to be, but I may be
>> missing something.
>>
>> What is the proper way to load ipt_MASQUERADE in the container?
>>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://openvz.org/mailman/listinfo/users
>
More information about the Users
mailing list