[Users] NAT/Firewall CT-based?
Marc Olive
marc.olive at grupblau.com
Thu Mar 11 04:36:41 EST 2010
Hello all,
I would like to have a NAT (and Firewall) linux node in my network to protect
and to control the traffic.
I have a server with two ethernets, one connected to internet router and the
other connected to internal switch.
I have several CT for any diferent server (DHCP, DNS, HTTP, Jabber and
others), and I was thinking on making another CT to act as NAT, firewall and
router.
By the way, I have made a CT with an ethernet bridged to internet ethernet of
the HN and one venet (maybe should be two bridges?):
CT1:~# ifconfig (simplified)
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:1d
inet addr:192.168.1.9 Bcast:192.168.1.255 Mask:255.255.255.0
venet0 Link encap:UNSPEC HWaddr
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0
Mask:255.255.255.255
venet0:0 Link encap:UNSPEC HWaddr
inet addr:192.168.1.12 P-t-P:192.168.1.12 Bcast:0.0.0.0
Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
HN:~# ifconfig (simplified)
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:e7
inet6 addr: fe80::21a:92ff:fe66:d7e7/64 Scope:Link
eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:23
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::210:18ff:fe5a:9d23/64 Scope:Link
venet0 Link encap:UNSPEC HWaddr
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
veth101.0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:33
inet6 addr: fe80::218:51ff:fe1d:cb33/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
vzbr0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:33
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21a:92ff:fe66:d7e7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
HN:~# brctl show
bridge name bridge id STP enabled interfaces
vzbr0 8000.0018511dcb33 no eth0
veth101.0
When I run "iptables" inside CT it says that it can not load the modules, and
I realized that there aren't inside CT:
CT:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such
file or directory
iptables v1.4.2: can't initialize iptables table `nat': Table does not exist
(do you need to insmod?)
Is it a good idea to have a CT as NAT and Firewall or I should use the HN for
this purpose?
Is there any doc explaining a similar configuration?
Any other recommendation?
Many thanks,
--
Marc Olivé
Grup Blau
www.grupblau.com
More information about the Users
mailing list