Difference between revisions of "Miscellaneous openVZ notes"

From Notes_Wiki
(Created page with "=Miscellaneous openVZ notes= =Enabling iptables conntrack modules in container= By default iptables conntrack modules are not enabled for container. Hence '<tt>state</tt>' m...")
 
m
Line 9: Line 9:


Note that this requires container to be stopped and then started again. Also base machine should have the connection tracking modules installed and preferably even in use through base machines firewall.
Note that this requires container to be stopped and then started again. Also base machine should have the connection tracking modules installed and preferably even in use through base machines firewall.
=Source NAT for containers using base machine=
Source NAT for containers can be done using base machine to provide LAN/Internet access to container without requiring an additional IP or exposing the container to outside world. To NAT outgoing connections from container use:
<pre>
iptables -t nat -I POSTROUTING -s <container-private-IP> -o <exit-interface> -j SNAT --to-source <container-ip>
</pre>

Revision as of 17:31, 15 November 2012

Miscellaneous openVZ notes

Enabling iptables conntrack modules in container

By default iptables conntrack modules are not enabled for container. Hence 'state' module does not works properly within a container. To enable use of state module in container use:

vzctl set <CID> --iptables iptable_filter --iptables ip_conntrack --save

Note that this requires container to be stopped and then started again. Also base machine should have the connection tracking modules installed and preferably even in use through base machines firewall.


Source NAT for containers using base machine

Source NAT for containers can be done using base machine to provide LAN/Internet access to container without requiring an additional IP or exposing the container to outside world. To NAT outgoing connections from container use:

iptables -t nat -I POSTROUTING -s <container-private-IP> -o <exit-interface> -j SNAT --to-source <container-ip>