[Users] NAT/Firewall CT-based?
Chris Bennett
chris at ceegeebee.com
Sat Mar 13 12:53:11 EST 2010
Hi Marc,
> When I run "iptables" inside CT it says that it can not load the modules, and
> I realized that there aren't inside CT:
>
> CT:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such
> file or directory
> iptables v1.4.2: can't initialize iptables table `nat': Table does not exist
> (do you need to insmod?)
>
> Is it a good idea to have a CT as NAT and Firewall or I should use the HN for
> this purpose?
> Is there any doc explaining a similar configuration?
> Any other recommendation?
Have you had a look at:
http://wiki.openvz.org/Setting_up_an_iptables_firewall
I run a FW container that performs routing between an internet
segment, and one or more internal networks (DMZ, internal, wireless).
It's actually quite handy, because you can then migrate the router/FW
role between hardware nodes like any other container.
And keeping the HN OS to minimum changes, it becomes very easy to
understand the impact of taking down a hardware node... Migrate
containers to another node, and then shutdown the HN.
This can apply even for a network with only one HN and little
networking/firewalling requirements - you'll thank yourself later when
you things change, new hardware replaces old hardware etc.
One gotcha is VZ beancounters has a paramter for number of iptable
entries (numiptent). You'll need to boost that up for complex
firewall rulesets.
Regards,
Chris Bennett
cgb
More information about the Users
mailing list