Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


NAT not available inside OpenVZ VM
New on LowEndTalk? Please Register and read our Community Rules.

NAT not available inside OpenVZ VM

elwebmasterelwebmaster Member
edited May 2014 in Help

Host:
CentOS 6
Linux atom 2.6.32-042stab088.4 #1 SMP Thu Apr 3 17:41:05 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux

lsmod | grep nat

nf_nat_ftp 3523 0
nf_conntrack_ftp 12929 1 nf_nat_ftp
iptable_nat 6302 0
nf_nat 23213 4 vzrst,nf_nat_ftp,ipt_REDIRECT,iptable_nat
nf_conntrack_ipv4 9946 3 iptable_nat,nf_nat
nf_conntrack 80281 9 vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,xt_state,xt_helper,iptable_nat,nf_nat,nf_conntrack_ipv4
ip_tables 18119 3 iptable_nat,iptable_mangle,iptable_filter

vz.conf:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT iptable_nat ip_conntrack ipt_REDIRECT ipt_helper ipt_LOG ipt_state ip_tables ip_conntrack_ftp ip_nat_ftp"

102.conf:
IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp "

VM:
**Debian 5
**Linux testvm 2.6.32-042stab088.4 #1 SMP Thu Apr 3 17:41:05 MSK 2014 i686 GNU/Linux

iptables -L -t nat

iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

What am I doing wrong? I want NAT to be available inside the VM.

Comments

  • @Jack said:
    Modprobe?

    For which module? On HOST or on VM?

  • Enable modprobe on the host.

  • elwebmasterelwebmaster Member
    edited May 2014

    @Jack said:
    On the host as you won't be able to in VM.

    Have you modprobe'd anything?

    I tried modprobing iptable_nat & restarting VM but no difference. I should note that iptables -L -t nat executes fine on the host. I wonder if the issue is a 64bit host vs. 32bit VM?

  • edited May 2014

    Have you rebooted the hosts after adding modules?

    This is the example of my enabled modules, in /etc/sysconfig/modules/enabled.modules

    #!/bin/bash
    modprobe tun
    modprobe dm_crypt
    modprobe ppp-compress-18
    modprobe ppp_mppe
    modprobe ppp_deflate
    modprobe ppp_async
    modprobe pppoatm
    modprobe ppp_generic
    modprobe nf_nat_ftp
    modprobe nf_conntrack_ftp
    modprobe nf_nat
    modprobe nf_conntrack_ipv4
    modprobe nf_conntrack
    modprobe nat
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe iptables_module
    modprobe ipt_helper
    modprobe ipt_REDIRECT
    modprobe ipt_TCPMSS
    modprobe ipt_LOG
    modprobe ipt_TOS
    modprobe iptable_nat
    modprobe ipt_length
    modprobe ipt_tcpmss
    modprobe iptable_mangle
    modprobe ipt_tos
    modprobe iptable_filter
    modprobe ipt_ttl
    modprobe ipt_SAME
    modprobe ipt_REJECT
    modprobe ipt_owner
    modprobe ipt_MASQUERADE
    modprobe ipt_multiport/xt_multiport
    modprobe ipt_state/xt_state
    modprobe ipt_limit/xt_limit
    modprobe ipt_recent
    modprobe xt_connlimit
    modprobe ipt_owner/xt_owner
    modprobe iptable_nat/ipt_DNAT
    modprobe iptable_nat/ipt_REDIRECT
    
  • Tried creating the above file but no luck. What OS are you guys using as host?

  • jarjar Provider
    edited May 2014

    Check recent changes in vzctl.

    http://openvz.org/Man/vzctl.8#Netfilter_.28iptables.29_control_parameters

    vzctl set CTID --netfilter full --save

    Thanked by 2Magiobiwan ryanarp

    "Note that Romania has laws agains all the illegal activities just like US, including copyright. Is not the Dracula's country or no man's land as you thought." - Random email from someone I don't know, about nothing I've done or said

  • bpsRobertbpsRobert Member
    edited May 2014

    are you using nat and masquerade in the same iptables command? masquerade is not useable in openVZ yet.. you have to use an alternative, like DNAT...

    iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination container.ip

    http://forum.openvz.org/index.php?t=msg&goto=8117

    bpsnode.com - Premium Cloud Servers

  • jarland said: vzctl set CTID --netfilter full --save

    THANK YOU! This fixed it! Now time to register summerhost.us and post an offer :) just kidding

    Thanked by 1Scion
  • rds100rds100 Member

    said: VM: **Debian 5

    Really? Go debian 7, it's 2014.

    -

  • FIRST it was Ploop. NOW it's iptables/netfilter. WHEN will they learn to INFORM PEOPLE WHEN MAKING THESE SORTS OF CHANGES?

    Thanked by 1jar
    BlueVM | Best VPS Deals [~] 1GBPS, RAID-10, OpenVZ/KVM, 8 locations. [~] Feathur VPS Control Panel!
  • ryanarpryanarp Member, Provider

    Magiobiwan said: INFORM PEOPLE WHEN MAKING THESE SORTS OF CHANGES?

    Yea thing that makes this most frustrating is they don't even push out a error, you can run all the same steps you might have in the previous version with --iptables. It just acts like it accepts it, but no worky. I finally found this in my own searches last week. A simple hey this is depreciated or obsolete when trying to use --iptables would have been nice.

    Thanked by 2Magiobiwan jar
  • seansean Member

    I too am quite worried about the number of unwanted changes creeping into the repo they are running for an enterprise distribution (CentOS). Things like this should NOT be changing as it caused us all sorts of issues!!

  • ryanarpryanarp Member, Provider
    edited May 2014

    sean said: Things like this should NOT be changing as it caused us all sorts of issues!!

    .....or you and everyone else (including myself) could keep up with the industry and read the change logs. It is never a good idea to update production environments with software that you have not taken the time to read about potential changes that go beyond bug fixes.

  • @ryanarp said:
    .....or you and everyone else (including myself) could keep up with the industry and read the change logs. It is never a good idea to update production environments with software that you have not taken the time to read about potential changes that go beyond bug fixes.

    What about all the guides written on the topic which become invalid?

  • ryanarpryanarp Member, Provider

    elwebmaster said: What about all the guides written on the topic which become invalid?

    That is why they make revisions to guides. Sometimes they take a while to get developed, however they are generally updated.

Sign In or Register to comment.