Virtual LAN with NAT/PAT for OpenVZ containers

By , 2009-10-13 21:07

This blog is running from an OpenVZ container on a server with a single public IP. There is no separate router; the eth0 interfaces is connected directly to the Internet. Therefore, I had to create a vlan with private IPs for my containers which would share the one public IP. Here’s how I did it.

/etc/network/interfaces

auto eth0
iface eth0 inet static
address x.x.x.x
netmask 255.255.255.254
gateway x.x.x.x
 
auto venet0:0
iface venet0:0 inet static
address 172.29.247.100
netmask 255.255.255.0

Note that the venet0 interface is created when installing OpenVZ. By default it has no IP. I assigned a static IP of 172.29.247.100 and netmask of 255.255.255.0 to allow space for a whole lot of containers. Now for the fun part, messing with iptables.

# NAT VM subnet (247) to external ip
/sbin/iptables -t nat -A POSTROUTING -s 172.29.247.0/24 -o eth0 -j SNAT --to x.x.x.x
 
# Allow all traffic for venet0 interface
/sbin/iptables -A INPUT -i venet0 -j ACCEPT
 
# ssh to containers
/sbin/iptables -t nat -I PREROUTING -p tcp -d x.x.x.x --dport 2222 -j DNAT --to 172.29.247.103:22
/sbin/iptables -I FORWARD -p tcp -d 172.29.247.103 --dport 2222
/sbin/iptables -t nat -I PREROUTING -p tcp -d x.x.x.x --dport 2223 -j DNAT --to 172.29.247.102:22
/sbin/iptables -I FORWARD -p tcp -d 172.29.247.102 --dport 2223

It may not be the optimal solution, but it works, it’s stable, and I’m quite proud of myself.

3 Responses to “Virtual LAN with NAT/PAT for OpenVZ containers”

  1. Fernando says:
    Google Chrome 43.0.2357.65 Google Chrome 43.0.2357.65 Mac OS X  10.10.1 Mac OS X 10.10.1
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36

    Hello, I was wondering if you can help me with my opnevz setup. I have a similar situation where I have one public IP and have created 6 containers with private IPs.
    The containers can connect to the internet using SNAT. What I am trying to accomplish is making users for each container and give those users access to their own container. I am having trouble coming up with a way to do this. How can I give them access to their container if they have private IPs?

    • Matthieu says:
      Firefox 38.0 Firefox 38.0 Mac OS X  10.9 Mac OS X 10.9
      Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Firefox/38.0

      You can do it like I have with dnat:

      /sbin/iptables -t nat -I PREROUTING -p tcp -d x.x.x.x –dport 2222 -j DNAT –to 172.29.247.103:22

      This forwards port 2222 for the IP x.x.x.x on the host to the container at IP 172.29.247.103 port 22.

      • Fernando says:
        Safari 8.0 Safari 8.0 iPhone iOS 8.2 iPhone iOS 8.2
        Mozilla/5.0 (iPhone; CPU iPhone OS 8_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12D508 Safari/600.1.4

        Awesome! Thank you good sir. After some asking the system admin at school I was able to get the answer you’ve provided me with. It worked flawlessly.
        This should definitely help others in search of this information.
        Thank you again!

        For any future persons: using the example above you can then ssh into the machine by providing the port “2222” host Node’s IP/Hostname.

        This is what my iptables rule looks like: “-A PREROUTING -p tcp -d X.X.X.X –dport 22222 -i em1 -j DNAT –to-destination 192.168.1.101:22”

Leave a Reply to Fernando

 

Custom theme by me. Based on Panorama by Themocracy