[Users] IPtables and NAT issue w/ OpenVZ 7

Corrado Fiore lists at corradofiore.it
Sun Oct 23 04:26:01 PDT 2016 

Dear All,

on a newly prepared OpenVZ 7 node, I'm facing problems with iptables and NAT inside a CT.  I applied the same configuration I used to set up on OpenVZ 6 containers but something must have changed.

I've got two CentOS 7 containers, hosted on the same HN:

CT 1
 - venet with public IP (say, 1.2.3.4)
 - veth, connected to the `network1` virtual network, IP 192.168.144.124
 - netfilter set to "full" in the CT conf file
 - net.ipv4.ip_forward set to "1" within the CT
 - iptables rule "-A POSTROUTING -o venet0 -j SNAT --to-source 1.2.3.4" active

CT 2
 - no venet
 - veth, connected to `network1`, with IP 192.168.1.125

Routes on CT 2:

CT-b9ea543c /# ip route
default via 192.168.144.124 dev netif1 
169.254.0.0/16 dev netif1  scope link  metric 1003 
192.168.144.0/24 dev netif1  proto kernel  scope link  src 192.168.144.125 

Ping test:

CT-8ac555a7 /# ping 192.168.144.125
PING 192.168.144.125 (192.168.144.125) 56(84) bytes of data.
64 bytes from 192.168.144.125: icmp_seq=1 ttl=64 time=0.128 ms
64 bytes from 192.168.144.125: icmp_seq=2 ttl=64 time=0.119 ms
[...]

CT-b9ea543c /# ping 192.168.144.124
PING 192.168.144.124 (192.168.144.124) 56(84) bytes of data.
64 bytes from 192.168.144.124: icmp_seq=1 ttl=64 time=0.136 ms
64 bytes from 192.168.144.124: icmp_seq=2 ttl=64 time=0.131 ms
[...]

OpenVZ version:

[root at testnode ~]# uname -a
Linux testnode 3.10.0-327.36.1.vz7.18.7 #1 SMP Tue Oct 11 15:39:22 MSK 2016 x86_64 x86_64 x86_64 GNU/Linux

~~~~

Given the above, CT 2 should be able to connect to the outside world using CT1 as gateway.  Trying to ping a host on the public internet from CT 2, however, proves unsuccessful:

CT-b9ea543c /# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7000ms

~~~~

Using iptraf-ng on the gateway (CT 1), I can see that ICMP packets come back from the remote host but then they get dropped somewhere instead of being forwarded back to CT 2:

ICMP echo req (84 bytes) from 192.168.144.125 to 8.8.8.8 on netif1
ICMP echo rply (84 bytes) from 8.8.8.8 to 192.168.144.125 on netif1

~~~~

What am I missing?

Thanks a lot,
Corrado Fiore

More information about the Users mailing list