[Users] NAT/Firewall CT-based?

Marc Olive marc.olive at grupblau.com
Thu Mar 11 04:36:41 EST 2010 

Hello all,

I would like to have a NAT (and Firewall) linux node in my network to protect 
and to control the traffic.
I have a server with two ethernets, one connected to internet router and the 
other connected to internal switch.
I have several CT for any diferent server (DHCP, DNS, HTTP, Jabber and 
others), and I was thinking on making another CT to act as NAT, firewall and 
router.

By the way, I have made a CT with an ethernet bridged to internet ethernet of 
the HN and one venet (maybe should be two bridges?):

CT1:~# ifconfig (simplified)
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:1d  
          inet addr:192.168.1.9  Bcast:192.168.1.255  Mask:255.255.255.0

venet0    Link encap:UNSPEC  HWaddr 
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  
Mask:255.255.255.255

venet0:0  Link encap:UNSPEC  HWaddr 
          inet addr:192.168.1.12  P-t-P:192.168.1.12  Bcast:0.0.0.0  
Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

HN:~# ifconfig (simplified)
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:e7  
          inet6 addr: fe80::21a:92ff:fe66:d7e7/64 Scope:Link

eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:23  
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::210:18ff:fe5a:9d23/64 Scope:Link

venet0    Link encap:UNSPEC  HWaddr 
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

veth101.0 Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:33  
          inet6 addr: fe80::218:51ff:fe1d:cb33/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

vzbr0     Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:33  
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21a:92ff:fe66:d7e7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

HN:~# brctl show
bridge name	bridge id		STP enabled	interfaces
vzbr0		8000.0018511dcb33	no		eth0
							veth101.0


When I run "iptables" inside CT it says that it can not load the modules, and 
I realized that there aren't inside CT:

CT:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such 
file or directory
iptables v1.4.2: can't initialize iptables table `nat': Table does not exist 
(do you need to insmod?)

Is it a good idea to have a CT as NAT and Firewall or I should use the HN for 
this purpose?
Is there any doc explaining a similar configuration?
Any other recommendation?

Many thanks,

-- 

Marc Olivé
Grup Blau

www.grupblau.com

More information about the Users mailing list