Hi Marc, > When I run "iptables" inside CT it says that it can not load the modules, and > I realized that there aren't inside CT: > > CT:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such > file or directory > iptables v1.4.2: can't initialize iptables table `nat': Table does not exist > (do you need to insmod?) > > Is it a good idea to have a CT as NAT and Firewall or I should use the HN for > this purpose? > Is there any doc explaining a similar configuration? > Any other recommendation?
Have you had a look at: http://wiki.openvz.org/Setting_up_an_iptables_firewall I run a FW container that performs routing between an internet segment, and one or more internal networks (DMZ, internal, wireless). It's actually quite handy, because you can then migrate the router/FW role between hardware nodes like any other container. And keeping the HN OS to minimum changes, it becomes very easy to understand the impact of taking down a hardware node... Migrate containers to another node, and then shutdown the HN. This can apply even for a network with only one HN and little networking/firewalling requirements - you'll thank yourself later when you things change, new hardware replaces old hardware etc. One gotcha is VZ beancounters has a paramter for number of iptable entries (numiptent). You'll need to boost that up for complex firewall rulesets. Regards, Chris Bennett cgb _______________________________________________ Users mailing list [email protected] https://openvz.org/mailman/listinfo/users
