SNAT inside CT?

N

NStorm

Active Member
Dec 23, 2011
64
2
28
Russia, Rostov-na-Donu
I have a proxmox 1.9 on a HN with 2 physical NICs. One container is setup (CT). Both NICs are bridged via own vmbr0 and vmbr1. Veth from CT are also attached to these bridges. So I'm having 2 veth devices inside a CT. CT eth0->veth101.0->HN physical eth0, CT eth1->veth101.1->HN physical eth1. Where eth0 are attached to local net, eth1 - internet. Both HN and CT have their interfaces working as intended. I can see both localnet and internet from CT and HN, routes are working (moreover openvpn via internet works fine from CT).
I want to setups a NAT router inside a CT to share its Internet connection with other clients on the localnet. Modules are loaded and /etc/vz/vz.conf has the following enabled:
Code: 
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"

ip_forward are turned on by default on HN/CT, all iptables are empty and policy are set to accept. Inside CT I add the following rule to NAT localnet to the internet:

Code: 
# iptables -t nat -R POSTROUTING 1 -s 192.168.X.0/24 -o eth1 -j SNAT --to-source 192.168.1.3

192.168.1.1 is my router to the internet, and it is set as default gateway on CT.
The client (192.168.X.55) has my CT eth0 ip set as default gateway. But it can't ping servers on the internet:

Code: 
# tcpdump -vv -s 1600 -i eth1 icmp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1600 bytes
15:54:34.073018 IP (tos 0x0, ttl 128, id 61252, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.X.55 > google-public-dns-a.google.com: ICMP echo request, id 512, seq 14239, length 40

Chain POSTROUTING (policy ACCEPT 10 packets, 618 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      eth1    192.168.X.0/24      0.0.0.0/0           to:192.168.1.3

I.e. packets are routed to the eth1, but no address translation takes place. Packets aren't processed by SNAT rule. What am I doing wrong? How can I setup a NAT router inside a CT?
 
With:
iptables -t nat -R POSTROUTING ..
you need forward rules for your router, something like:
iptables -A FORWARD -s 192.168.X.0/24 -o eth1 -j ACCEPT
iptables -A FORWARD -d 192.168.X.0/24 -i eth1 -j ACCEPT
 
No, I don't. Because I have ACCEPT default policy for FORWARD table.

And "-R POSTROUTING 1" should be interpreted as "-A POSTROUTING", it just the first and only rule in whole iptables.
 
Last edited:
Solved the issue myself. Not proxmox related, but probably would be helpful to someone. I've fixed it by installing policycoreutils package (and all deps) in CT. It was based off on the centos-6 template from openvz.org, and did not had this package installed by default. I've noticed that while trying to save iptables rules via /etc/init.d/iptables save and it failed not finding 'restorecon'. As soon as I've installed policycoreutils and reboot POSTROUTING rule started working and NAT'ing localnet connection.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back