I was solved my problem: it's not changed default gateway of HN. I install HN with local repo with PXE, and, don't see this bad interface config :)
Thanks for all answers :) 2009/12/20 Galia Lisovskaya <in...@shaggy-cat.ru>: >> ill post you my rules tommorow when i have a look at it. so u can get your >> containers to view sites on the same server ? > >> I also have to forward different ports to get ssh access to the containers, >> how can i ip filter before it gets forwarded is it possible, it doesnt seem >> to work. maybe i have to run a vpn for the ssh connections instead ? > > On my old openvz server (i posted it config) all work: MASQAREADE to > external (Internet) network to containers(it may use yum/apt to > install software with external repos, may use wget, send e-mails like > as MTA, etc), MASQUAREDE to some other hosts (i use this HN as gateway > and Wireless access point), work DNAT to ssh and another services for > all containers(for example external 25 -> VE 25 for MTA), proxy HTTP > connections from VE with dnated 80 port to another VE(and, sites with > VEs in external network opening fine), but, i want make production > mass reproduced server (with kikstart deployment and pupet management) > . > > This server deployment, and work, but, I don't remember, how i > solved, in the past (on working server), troubles of SNAT :( > > You may read iptables dump, may be, it's solved your problem, becouse > in my old HardwareNode (it's dump of this node) all work > > May be, new node doe'sn work, becouse it has internal IP, and, howto > with openvz wiki write for external IP? > > >> On 21/12/2009, at 1:14 AM, Galia Lisovskaya wrote: >> >>> On my old OpenVZ server (it use DNAT and masqurade fine) i use nginx >>> to reverse proxies http connections for container, and DNAT other >>> ports. May be, you solved you problem, when read my iptables dump. >>> XX.XX.XX.XX it's external nardware node IP, 10.0.10.33 IP of nginx VE. >>> As you see, i have rules for permit connections to this ve. It's work, >>> by i don't may reproduce it :( >>> >>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009 >>> *raw >>> :PREROUTING ACCEPT [15756606:11159312833] >>> :OUTPUT ACCEPT [83187:9939944] >>> COMMIT >>> # Completed on Sun Dec 20 16:18:42 2009 >>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009 >>> *nat >>> :PREROUTING ACCEPT [460807:49066604] >>> :POSTROUTING ACCEPT [2287:134871] >>> :OUTPUT ACCEPT [1050:65159] >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 4662 -j >>> DNAT --to-destination 10.0.10.3:4662 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 4666 -j >>> DNAT --to-destination 10.0.10.3:4666 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6419 -j >>> DNAT --to-destination 10.0.10.3:6419 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 6419 -j >>> DNAT --to-destination 10.0.10.3:6419 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6882 -j >>> DNAT --to-destination 10.0.10.3:6882 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 1959 -j >>> DNAT --to-destination 10.0.10.3:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 80 -j DNAT >>> --to-destination 10.0.10.33:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 2959 -j >>> DNAT --to-destination 10.0.10.5:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7422 -j >>> DNAT --to-destination 10.0.7.4:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7480 -j >>> DNAT --to-destination 10.0.7.4:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j >>> DNAT --to-destination 10.0.7.8:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7880 -j >>> DNAT --to-destination 10.0.7.8:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7821 -j >>> DNAT --to-destination 10.0.7.8:21 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7680 -j >>> DNAT --to-destination 10.0.7.6:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7622 -j >>> DNAT --to-destination 10.0.7.6:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7922 -j >>> DNAT --to-destination 10.0.7.9:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j >>> DNAT --to-destination 10.0.7.9:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7912 -j >>> DNAT --to-destination 10.0.7.11:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7918 -j >>> DNAT --to-destination 10.0.7.11:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 110 -j DNAT >>> --to-destination 10.0.9.25:110 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 143 -j DNAT >>> --to-destination 10.0.9.25:143 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 25 -j DNAT >>> --to-destination 10.0.9.25:25 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j >>> DNAT --to-destination 10.0.7.2:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j >>> DNAT --to-destination 10.0.7.2:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j >>> DNAT --to-destination 10.0.7.9:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 53 -j DNAT >>> --to-destination 10.0.9.29:53 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 8443 -j >>> DNAT --to-destination 10.0.9.22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j >>> DNAT --to-destination 10.0.7.2:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7280 -j >>> DNAT --to-destination 10.0.7.2:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7580 -j >>> DNAT --to-destination 10.0.7.5:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7522 -j >>> DNAT --to-destination 10.0.7.5:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j >>> DNAT --to-destination 10.0.7.8:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5212 -j >>> DNAT --to-destination 10.0.5.21:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5222 -j >>> DNAT --to-destination 10.0.5.22:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5218 -j >>> DNAT --to-destination 10.0.5.21:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5228 -j >>> DNAT --to-destination 10.0.5.22:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7322 -j >>> DNAT --to-destination 10.0.7.3:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7380 -j >>> DNAT --to-destination 10.0.7.3:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7780 -j >>> DNAT --to-destination 10.0.7.7:80 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7722 -j >>> DNAT --to-destination 10.0.7.7:22 >>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5142 -j >>> DNAT --to-destination 10.0.5.14:22 >>> -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE >>> -A POSTROUTING -s 10.0.9.25 -p tcp -m tcp --dport 25 -j ACCEPT >>> -A POSTROUTING -s 10.0.5.2 -p tcp -m tcp --dport 25 -j ACCEPT >>> -A POSTROUTING -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports >>> 25 -j DROP >>> -A POSTROUTING -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports >>> 25 -j DROP >>> -A POSTROUTING -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports >>> 25 -j DROP >>> -A POSTROUTING -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports >>> 25 -j DROP >>> COMMIT >>> # Completed on Sun Dec 20 16:18:42 2009 >>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009 >>> *mangle >>> :PREROUTING ACCEPT [15756617:11159313405] >>> :INPUT ACCEPT [145636:35302709] >>> :FORWARD ACCEPT [15611902:11124135311] >>> :OUTPUT ACCEPT [83199:9941544] >>> :POSTROUTING ACCEPT [15695095:11134076551] >>> -A PREROUTING -i br0 -j MARK --set-mark 0x9 >>> -A PREROUTING -i wlan0 -j MARK --set-mark 0x9 >>> -A PREROUTING -i venet0 -j MARK --set-mark 0x9 >>> COMMIT >>> # Completed on Sun Dec 20 16:18:42 2009 >>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009 >>> *filter >>> :INPUT ACCEPT [0:0] >>> :FORWARD ACCEPT [0:0] >>> :OUTPUT ACCEPT [83202:9942132] >>> :RH-Firewall-1-INPUT - [0:0] >>> -A INPUT -j RH-Firewall-1-INPUT >>> -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT >>> -A FORWARD -s 10.0.9.25 -p tcp -m multiport --dports 25 -j ACCEPT >>> -A FORWARD -s 10.0.7.0/255.255.255.0 -d 10.0.10.33 -j ACCEPT >>> -A FORWARD -s 10.0.10.0/255.255.255.0 -d 10.0.9.25 -p tcp -m multiport >>> --dports 25 -j ACCEPT >>> -A FORWARD -s 10.0.5.2 -p tcp -m multiport --dports 25 -j ACCEPT >>> -A FORWARD -d 255.255.255.255 -j ACCEPT >>> -A FORWARD -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports 25 >>> -j DROP >>> -A FORWARD -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports 25 >>> -j DROP >>> -A FORWARD -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports 25 >>> -j DROP >>> -A FORWARD -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports 25 >>> -j DROP >>> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >>> -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT >>> -A FORWARD -p tcp -m tcp --dport 25 -j DROP >>> -A FORWARD -o eth0 -j ACCEPT >>> -A FORWARD -j RH-Firewall-1-INPUT >>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT >>> -A RH-Firewall-1-INPUT -i br0 -j ACCEPT >>> -A RH-Firewall-1-INPUT -i ath0 -j ACCEPT >>> -A RH-Firewall-1-INPUT -i venet0 -j ACCEPT >>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT >>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT >>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT >>> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT >>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 959 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4666 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6419 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 6429 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4662 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2959 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7422 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7480 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7622 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7680 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7918 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7912 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7580 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7522 >>> -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7880 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7822 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7821 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7843 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5212 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5218 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5228 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7780 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7722 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5142 -j >>> ACCEPT >>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >>> COMMIT >>> # Completed on Sun Dec 20 16:18:42 2009 >>> >>> >>> 2009/12/20 Dan Rossi <electrote...@gmail.com>: >>>> Hey I am also having NAT issues. For instance I'm routing port 80 to squid >>>> which reverse proxies to instances. However when I tried to get instances >>>> to view sites on the same server, its not going directly out and back in >>>> if you know what I mean by it gets directed through squid but squid isnt >>>> setup for proxying a connection for the containers ! What do I do here I >>>> get failed connections. The containers are able to access to external >>>> sites though. >>> >>> >>> >>> -- >>> Galina Lisovskaya >>> >>> _______________________________________________ >>> Users mailing list >>> Users@openvz.org >>> https://openvz.org/mailman/listinfo/users >> >> >> _______________________________________________ >> Users mailing list >> Users@openvz.org >> https://openvz.org/mailman/listinfo/users >> > > > > -- > Galina Lisovskaya > -- Galina Lisovskaya _______________________________________________ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
