Hi all,
I'm experiencing issue trying to use a openVZ container as defaut gateway.
Here is my config :
CT 101 :
- "Internal" IP : 192.168.142.10
- And an external IP.
All my tests from this container are OK (ping, wget ...) to Internet.
CT 102 :
- "Internal" IP : 192.168.142.11
I can ping, connnect to CT 101 without problem
The problem is that my "local" CTs (ie: 102/192.168.142.11) can't access to Internet through 101.
Does somebody have an idea ?
Bests,
Alex
I'm experiencing issue trying to use a openVZ container as defaut gateway.
Here is my config :
CT 101 :
- "Internal" IP : 192.168.142.10
- And an external IP.
All my tests from this container are OK (ping, wget ...) to Internet.
Code:
$ iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
ACCEPT tcp -- anywhere my.public.ip.addr tcp dpt:smtp
ACCEPT tcp -- anywhere my.public.ip.addr tcp dpt:www
ACCEPT tcp -- anywhere my.public.ip.addr tcp dpt:https
ACCEPT tcp -- anywhere my.public.ip.addr tcp dpt:imaps
ACCEPT tcp -- anywhere my.public.ip.addr tcp dpt:2222
DROP tcp -- anywhere my.public.ip.addr tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere my.public.ip.addr
DROP tcp -- anywhere my.public.ip.addr tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere my.public.ip.addr tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere my.public.ip.addr tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere my.public.ip.addr tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere my.public.ip.addr tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere my.public.ip.addr tcp flags:FIN,ACK/FIN
DROP tcp -- anywhere my.public.ip.addr tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
ACCEPT tcp -- anywhere 192.168.142.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.142.10 tcp dpt:8888
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
Code:
$ iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere my.public.ip.addr tcp dpt:smtp to:192.168.142.13
DNAT tcp -- anywhere my.public.ip.addr tcp dpt:www to:192.168.142.12
DNAT tcp -- anywhere my.public.ip.addr tcp dpt:https to:192.168.142.12
DNAT tcp -- anywhere my.public.ip.addr tcp dpt:imaps to:192.168.142.13
DNAT tcp -- anywhere my.public.ip.addr tcp dpt:2222 to:192.168.142.11:22
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- !192.168.142.0/24 192.168.142.0/24 to:192.168.142.10
MASQUERADE all -- 192.168.142.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destinationCT 102 :
- "Internal" IP : 192.168.142.11
I can ping, connnect to CT 101 without problem
Code:
$ grep -v '^#' /etc/rc.local
ip route change default via 192.168.142.10 dev venet0
Code:
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/void
inet 127.0.0.1/32 scope host venet0
inet 192.168.142.11/32 scope global venet0:0
Code:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.142.10 0.0.0.0 UG 0 0 0 venet0Does somebody have an idea ?
Bests,
Alex