Virtual LAN with NAT/PAT for OpenVZ containers
This blog is running from an OpenVZ container on a server with a single public IP. There is no separate router; the eth0 interfaces is connected directly to the Internet. Therefore, I had to create a vlan with private IPs for my containers which would share the one public IP. Here’s how I did it.
/etc/network/interfaces
auto eth0 iface eth0 inet static address x.x.x.x netmask 255.255.255.254 gateway x.x.x.x auto venet0:0 iface venet0:0 inet static address 172.29.247.100 netmask 255.255.255.0 |
Note that the venet0 interface is created when installing OpenVZ. By default it has no IP. I assigned a static IP of 172.29.247.100 and netmask of 255.255.255.0 to allow space for a whole lot of containers. Now for the fun part, messing with iptables.
# NAT VM subnet (247) to external ip /sbin/iptables -t nat -A POSTROUTING -s 172.29.247.0/24 -o eth0 -j SNAT --to x.x.x.x # Allow all traffic for venet0 interface /sbin/iptables -A INPUT -i venet0 -j ACCEPT # ssh to containers /sbin/iptables -t nat -I PREROUTING -p tcp -d x.x.x.x --dport 2222 -j DNAT --to 172.29.247.103:22 /sbin/iptables -I FORWARD -p tcp -d 172.29.247.103 --dport 2222 /sbin/iptables -t nat -I PREROUTING -p tcp -d x.x.x.x --dport 2223 -j DNAT --to 172.29.247.102:22 /sbin/iptables -I FORWARD -p tcp -d 172.29.247.102 --dport 2223 |
It may not be the optimal solution, but it works, it’s stable, and I’m quite proud of myself.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Hello, I was wondering if you can help me with my opnevz setup. I have a similar situation where I have one public IP and have created 6 containers with private IPs.
The containers can connect to the internet using SNAT. What I am trying to accomplish is making users for each container and give those users access to their own container. I am having trouble coming up with a way to do this. How can I give them access to their container if they have private IPs?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Firefox/38.0
You can do it like I have with dnat:
/sbin/iptables -t nat -I PREROUTING -p tcp -d x.x.x.x –dport 2222 -j DNAT –to 172.29.247.103:22
This forwards port 2222 for the IP x.x.x.x on the host to the container at IP 172.29.247.103 port 22.
Mozilla/5.0 (iPhone; CPU iPhone OS 8_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12D508 Safari/600.1.4
Awesome! Thank you good sir. After some asking the system admin at school I was able to get the answer you’ve provided me with. It worked flawlessly.
This should definitely help others in search of this information.
Thank you again!
For any future persons: using the example above you can then ssh into the machine by providing the port “2222” host Node’s IP/Hostname.
This is what my iptables rule looks like: “-A PREROUTING -p tcp -d X.X.X.X –dport 22222 -i em1 -j DNAT –to-destination 192.168.1.101:22”