openvz iptables DNAT

C

cedric

New Member
Dec 10, 2009
5
0
1
Hello,

I have a question

I converted a physical machine to a virtual openvz / proxmox and it work fine - thanks to the proxmox team - !

But on the virtual openvz machine my iptables rule does not seem to work
I explain what i want to do :
redirect the tcp traffic on port 22000 to another machine (192.168.151.100) on the lan :
iptables -A PREROUTING -t nat -p tcp --dport 22000 -j DNAT --to 192.168.151.100:22

This rule works fine on my physical machine but nut on this virtulized machine

On the destination machine (192.168.151.100) i don't see anything comming on the 22000 port (with tcpdump)

My proxmox version is : 2.6.24-8-pve #1 SMP PREEMPT Fri Oct 16 11:17:55 CEST 2009 x86_64 GNU/Linux
My virtual Openvz Machine is CentOS 4.6

I already put in /etc/vz/vz.conf :
IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

and the same in file /etc/vz/conf/104.conf

Can you explain me what i've done wrong ?

Thank's

ced
 
You didn't mention you did this, but did you stop the VM's on the host and then restart vz (/etc/init.d/vz restart) after adding the IPTABLES statement?
 
Hello Bleau,

Yes i rebooted the virtual machine and the hardware but no changes.

Can the problem be on the interfaces used ?
I explain :
On the physical machine I have my network interfaces :
eth1 : with no IP affected, but
vmbr1 : with IP lan (192.168.151.50)

On the virtual machine I have :
venet0 : 127.0.0.1
venet0:0 : with IP lan (192.168.151.200)

Is the iptables not working with vmbr1/venet0 ?
Perhaps is it necessary to have a real eth1 in the Virtual machine ?

Thank's
ced
 
Hello again,

An other information :

I tryed the same operation on VMWare : iptables work fine on it
but I have the interfaces bridged !
so the virtual machine see a "real" eth1 on it
That is perhaps the problem ?

ced
 
cedric said:
I tryed the same operation on VMWare : iptables work fine on it
but I have the interfaces bridged !
so the virtual machine see a "real" eth1 on it
That is perhaps the problem ?
Click to expand...

Various people already reported problems using NAt inside Openvz - maybe you can use a KVM guest instead - just test.
 
Thank's for your reply

But I need to use openvz because of the memory and disk space "sharing"

I continue my tests on openvz for now

An information :
With bridged network interfaces (veth) on the openvz machine :
I can now see the outgoing and incoming tcp packets but that's all
I can't use the program behind the DNATed port

I continue testing...

ced
 
Thank's all for your replies.

I found the problem

It was just a MASQUERADE problem
I needed to add ipt_MASQUERADE in the vz.conf
and then I could add MASQUERADE iptables rules in the virtual machine !

Thank's to the PROXMOX team for their great job !

ced
 
You must log in or register to reply here.
Top Bottom