Routing Multiple Public IPs to internal subnets

1

I have been assigned a block of /29 ips for a dedicated server I rent. I want to be able to keep one of these IPs for managing the server itself, and forward each of the rest to its own internal subnet, for multiple OpenVZ containers to be able to share public IPs.

For instance, I might have two web servers and two file servers in 4 containers. This is not the actual services that will be running, but for easy of example I will use them. I want one of my public IPs (XX.XX.XX.2) to point to the two containers on the 192.168.2.0/24 subnet, and the other public IP (XX.XX.XX.3) to point to the containers in the 192.158.3.0/24 subnet. Communication between the subnets is not required, but each container must be able to access the web.

I have tried using sourced based routing as described here and NAT as described on the OpenVZ wiki here without success. Host is running Centos 6, and each VM is running Debian 7 if that makes a difference.

Adam Dodman

Posted 2015-06-16T11:38:44.333

Reputation: 23

Can you pls detail what you mean by without success? What is failing? Error messages? – MariusMatutiae – 2015-06-16T11:50:46.620

No errors per se, but just no internet connection on the VMs - can't ping anything past Host node, address or IP, traceroutes fails at host node. Nameservers are correct - using google public DNS for testing. – Adam Dodman – 2015-06-16T12:41:06.193

Pls post the output of ip addr show and of ip route show, thanks. – MariusMatutiae – 2015-06-16T13:51:18.747

Too long for comment so uploaded to pastebin here

– Adam Dodman – 2015-06-16T14:17:10.713

From ip addr show output 216.126.193.235 and 216.126.193.236 seem to have incorrect masks – Silvio Massina – 2015-06-16T14:26:20.397

I'm presuming the masks have to be changed to /29. How would I go about doing this? – Adam Dodman – 2015-06-16T14:33:38.180

Can you ping any of the containers from the host, right now? – MariusMatutiae – 2015-06-16T15:33:15.657

Yes, the host can ping the containers and the containers can ping the host. – Adam Dodman – 2015-06-16T15:43:38.687

@Adam: I suppose you set them with ifconfig. Use ifconfig eth0:0 216.126.193.235 netmask 255.255.255.248 (anf repeat for eth0:1) – Silvio Massina – 2015-06-17T08:30:37.573

Answers

0

  1. Set up your openvz containers to use bridged networking (using veth interfaces).

  2. Create a bridge for each of the internal networks you want to connect your containers to (in your case 2 bridges, one for 192.168.2.0/24 and one for 192.168.3.0/24. Let's call them br2 and br3).

  3. Give to each bridge an ip address on the correct network (for example br2 could be 192.168.2.1 and br3 192.168.3.1)

  4. Configure the containers connecting them to their respective bridges.

    For example connect to br2 the containers that should reside on network 192.168.2.0/24 (let's say they are CT1 and CT2) and to br3 the ones that you want on 192.168.3.0/24 (let's say they are CT3 and CT4).

  5. Give to each container an IP address on the same network of the bridge they are connected to. Set the ip address of the bridge ad the default gateway.

    For example: CT1 and CT2 with IP 192.168.2.101 and 192.168.2.102. Their gateway will be 192.168.2.1 (IP address of br2)

  6. Enable ip forwarding on the physical host

  7. Configure all the public IPs on the physical host's interface connected to the Internet (let's say it's eth0), with the correct subnet mask.

  8. Configure NAT for your CTs as follows:

    iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j SNAT --to first.pulic.ip.address
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j SNAT --to second.pulic.ip.address

Silvio Massina

Posted 2015-06-16T11:38:44.333

Reputation: 434

Asked: 2015-06-16T11:38:44.333

Viewed: 600 times

Active: 2015-06-17T13:28:23.060