[Users] IPtables and NAT issue w/ OpenVZ 7
Corrado Fiore
lists at corradofiore.it
Sun Oct 23 04:26:01 PDT 2016
Dear All,
on a newly prepared OpenVZ 7 node, I'm facing problems with iptables and NAT inside a CT. I applied the same configuration I used to set up on OpenVZ 6 containers but something must have changed.
I've got two CentOS 7 containers, hosted on the same HN:
CT 1
- venet with public IP (say, 1.2.3.4)
- veth, connected to the `network1` virtual network, IP 192.168.144.124
- netfilter set to "full" in the CT conf file
- net.ipv4.ip_forward set to "1" within the CT
- iptables rule "-A POSTROUTING -o venet0 -j SNAT --to-source 1.2.3.4" active
CT 2
- no venet
- veth, connected to `network1`, with IP 192.168.1.125
Routes on CT 2:
CT-b9ea543c /# ip route
default via 192.168.144.124 dev netif1
169.254.0.0/16 dev netif1 scope link metric 1003
192.168.144.0/24 dev netif1 proto kernel scope link src 192.168.144.125
Ping test:
CT-8ac555a7 /# ping 192.168.144.125
PING 192.168.144.125 (192.168.144.125) 56(84) bytes of data.
64 bytes from 192.168.144.125: icmp_seq=1 ttl=64 time=0.128 ms
64 bytes from 192.168.144.125: icmp_seq=2 ttl=64 time=0.119 ms
[...]
CT-b9ea543c /# ping 192.168.144.124
PING 192.168.144.124 (192.168.144.124) 56(84) bytes of data.
64 bytes from 192.168.144.124: icmp_seq=1 ttl=64 time=0.136 ms
64 bytes from 192.168.144.124: icmp_seq=2 ttl=64 time=0.131 ms
[...]
OpenVZ version:
[root at testnode ~]# uname -a
Linux testnode 3.10.0-327.36.1.vz7.18.7 #1 SMP Tue Oct 11 15:39:22 MSK 2016 x86_64 x86_64 x86_64 GNU/Linux
~~~~
Given the above, CT 2 should be able to connect to the outside world using CT1 as gateway. Trying to ping a host on the public internet from CT 2, however, proves unsuccessful:
CT-b9ea543c /# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7000ms
~~~~
Using iptraf-ng on the gateway (CT 1), I can see that ICMP packets come back from the remote host but then they get dropped somewhere instead of being forwarded back to CT 2:
ICMP echo req (84 bytes) from 192.168.144.125 to 8.8.8.8 on netif1
ICMP echo rply (84 bytes) from 8.8.8.8 to 192.168.144.125 on netif1
~~~~
What am I missing?
Thanks a lot,
Corrado Fiore
More information about the Users
mailing list