Enable iptable NAT support on openvz vps

Written by sdx Thursday, 10 January 2013 13:55

Print

[root@vps ]# iptables -t nat -nvL
iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

To Enable NAT:
----------------------------
Step1: Login to Node server and check vz configurtation file to find whether iptable_nat is enabled or not

[root@server ]# grep -i iptables /etc/vz/vz.conf
## IPv4 iptables kernel modules to be enabled in CTs by default
IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state ip_nat_ftp ipt_owner ipt_REDIRECT"
## IPv4 iptables kernel modules to be loaded by init.d/vz script
IPTABLES_MODULES="$IPTABLES"


Step 2: Add iptable_nat to the configuration file.

[root@server ]# vi /etc/vz/vz.conf

insert ‘iptable_nat’ on to the iptables modules.

## IPv4 iptables kernel modules to be enabled in CTs by default
IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_REDIRECT"


Step 3: Check NAT is loaded or not,

[root@server ]# lsmod | grep nat
[root@vps11 4980]# lsmod | grep nat
nf_nat_ftp              3523  0
nf_conntrack_ftp       12961  1 nf_nat_ftp
iptable_nat             6270  0
nf_nat                 23116  5 ipt_MASQUERADE,vzrst,ipt_REDIRECT,nf_nat_ftp,iptable_nat
nf_conntrack_ipv4       9914  3 iptable_nat,nf_nat
ip_tables              18119  3 iptable_nat,iptable_mangle,iptable_filter
nf_conntrack           80373  8 vzrst,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state


[root@vps47 ~]# lsmod|grep  ipt_MASQUERADE
ipt_MASQUERADE         35456  1
ip_nat                 53392  5 ipt_MASQUERADE,vzrst,ipt_REDIRECT,ip_nat_ftp,iptable_nat
x_tables               52616  19 ipt_MASQUERADE,xt_tcpudp,ipt_owner,ipt_REDIRECT,xt_conntrack,xt_state,xt_length,ipt_ttl,xt_tcpmss,ipt_TCPMSS,xt_multiport,xt_limit,ipt_LOG,ipt_TOS,ipt_tos,ipt_REJECT,iptable_nat,ip_tables,ip6_tables


Step 4: Now save the paraments for the VPS.

[root@server ]# vzctl set [VEID] --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save

NOTE: VEID is VPS ID, replace it with the correct one.

Step 5: Restart VPS

[root@server ]# vzctl restart VEID

Step 6: Enter into the VPS

[root@server ]# vzctl enter VEID

Step 7: Check for NAT

[root@vps ]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 2 packets, 88 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1 packets, 72 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 72 bytes)
pkts bytes target     prot opt in     out     source               destination


Test whether it works or not

  1. Run iptables -t nat -A POSTROUTING -j SNAT --to-source YOURVPSIP
  2. Run iptables-save