1

I have been trying to days to solve my NAT issue with OpenVZ. I have used their guide on their website/wiki, however I just seem to be unable to get it to work.

My Linux box is running on CentOS 6 (64 bit), in my own home. My router's default traffic router is set to my Linux box at 192.168.1.90 (therefore ALL traffic, unless said otherwise in port forwarding, is sent and received from/to 192.168.1.90) - This works just fine on the host node. I tested with Teamspeak 3 and Apache on default ports. They both worked just fine and were accessible from the outside (port 80 not in use/unable to be used by ISP). However, whenever I create a slave node this suddenly turns hell.

After setting the nameservers, I can ping, call-up hostnames and do every I would do as a client, however I am unable to host anything that can be accessed by the outside. Lets take Apache again, this I can access on 192.168.1.91 from within the network, but unable to from the outside, even if I add a port forward config in my router to point towards .91 instead of default .90 - No luck. On OpenVZ's guide as linked earlier, I did all the steps and checked twice, all fine and went down to "Access from internet to container" - my config/iptables is as follows:

iptables -t nat -A PREROUTING -p tcp -d 46.32.xx.xxx --dport 80 \
-i eth0 -j DNAT --to-destination 192.168.1.91:80;
iptables -t nat -A POSTROUTING -s 192.168.1.91 -o eth0 -j SNAT --to     46.32.xx.xxx;

I tried with and without the last line, as that's supposed to direct traffic from within to outside, which works fine. I am unable to visit my website both on the port 80 and 8081 (first line --dport I tried to change to 8081).

On canyouseeme.org I tried to lookup these ports. Host node it worked fine when Apache was running but on slave node with this IPtables config, it gives "No route to host". Without it just gives "Connection refused".

My full IPTables rule list is as follows without the rule stated before:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
user1622951
  • 157
  • 7

1 Answers1

1

I guess the problem not in your host, it is in your container maybe there is no default route in it try:

ip route

and make sure that there is default route rule

Wissam Roujoulah
  • 401
  • 2
  • 9
  • While I appreciate your answer, my problem was actually that blindly added some sysctl rules that were only supposed to be added on Ubuntu/Debian. Removing those and doing sysctl -p then everything worked just fine. I upvoted your answer however :) – user1622951 May 31 '15 at 00:02