Iptables NAT Pada Kontainer OpenVz

From Indonesian Research And Development Center
Jump to: navigation, search

Pengaturan Iptables NAT Pada Kontainer OpenVz

  • Matikan daemon OpenVz:
# /etc/init.d/vz stop
  • Edit /etc/vz/vz.conf seperti berikut ini:
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat"
  • Aktifkan modul iptable_nat:
# modprobe ip_tables modprobe ip_conntrack modprobe iptable_filter modprobe ipt_state modprobe iptable_nat
  • Jalankan kembali OpenVz:
# /etc/init.d/vz restart
  • Login sebagai kontainer kemudian jalankan iptables (sesuaikan dengan konfigurasi yang Anda gunakan):
# vzctl enter 102

[root@mx1 /]# /etc/init.d/iptables restart

iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ]
iptables: Unloading modules:


Perbaikan Destination Host Prohibited pada OpenVz

  • Ada permasalahan yg sering terjadi ketika mengaktifkan table nat pada kontainer, yaitu Destination Host Prohibited. Hal tersebut terjadi karena firewall ip host tidak mengizinkan klien melakukan koneksi terhadap OS pada kontainer yang bersifat private sehingga dianggap ilegal:
ip os host: 10.10.7.1
ip os container: 10.10.7.101
ip os client: 10.10.7.100
  • Berikut ini adalah error yang muncul ketika IP kontainer melakukan ping terhadap IP klien, atau sebaliknya:
[root@mx1 /]# ping 10.10.7.100

PING 10.10.7.100 (10.10.7.100) 56(84) bytes of data.
From 10.10.7.1 icmp_seq=1 Destination Host Prohibited
From 10.10.7.1 icmp_seq=2 Destination Host Prohibited
^C
--- 10.10.7.100 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3689ms
  • Langkah penyelesaian yang dilakukan pada OS host, edit berkas /etc/sysconfig/iptables :
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
  • Aktifkan IP forward pada IP host:
net.ipv4.ip_forward = 1
  • Tambahkan rule iptables untuk mengizinkan forwarding pada alamat network container:
# iptables -t nat -A POSTROUTING -j SNAT --to-source 10.10.7.1
# iptables -A FORWARD -s 10.10.7.1/24 -j ACCEPT
# iptables -A FORWARD -d 10.10.7.1/24 -j ACCEPT
# service iptables save

  • Lihat konfigurasi /etc/sysconfig/iptables:
# Generated by iptables-save v1.4.7 on Sat Aug 10 21:30:30 2013
*nat

:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -j SNAT --to-source 10.10.7.1
COMMIT
# Completed on Sat Aug 10 21:30:30 2013
# Generated by iptables-save v1.4.7 on Sat Aug 10 21:30:30 2013
*mangle
:PREROUTING ACCEPT [1012:74184]
:INPUT ACCEPT [729:57326]
:FORWARD ACCEPT [2:168]
:OUTPUT ACCEPT [500:50616]
:POSTROUTING ACCEPT [500:50616]
COMMIT
# Completed on Sat Aug 10 21:30:30 2013
# Generated by iptables-save v1.4.7 on Sat Aug 10 21:30:30 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:2980]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited		<===== pindahkan
-A FORWARD -j REJECT --reject-with icmp-host-prohibited		<===== pindahkan
-A FORWARD -s 10.10.7.0/24 -j ACCEPT
-A FORWARD -d 10.10.7.0/24 -j ACCEPT
COMMIT
# Completed on Sat Aug 10 21:30:30 2013
  • Kemudian pindahkan icmp-host-prohibited pada bagian akhir berkas /etc/sysconfig/iptables:
# Generated by iptables-save v1.4.7 on Sat Aug 10 21:30:30 2013
*nat

:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -j SNAT --to-source 10.10.7.1
COMMIT
# Completed on Sat Aug 10 21:30:30 2013
# Generated by iptables-save v1.4.7 on Sat Aug 10 21:30:30 2013
*mangle
:PREROUTING ACCEPT [1012:74184]
:INPUT ACCEPT [729:57326]
:FORWARD ACCEPT [2:168]
:OUTPUT ACCEPT [500:50616]
:POSTROUTING ACCEPT [500:50616]
COMMIT
# Completed on Sat Aug 10 21:30:30 2013
# Generated by iptables-save v1.4.7 on Sat Aug 10 21:30:30 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:2980]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A FORWARD -s 10.10.7.0/24 -j ACCEPT
-A FORWARD -d 10.10.7.0/24 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Aug 10 21:30:30 2013
  • Sekian tutorials singkat ini, semoga bermanfaat.


Referensi