IPtables, Openvz and guest OS internet access.

RimBlock · 15 Mar 2010 at 08:24

Hi,

I have a CentOS 5.4 install (host) with OpenVZ on it and another CentOS 5.4 running as a guest OS. Both the host and guest have their own IP addresses and the guest and host can talk to the internet and each other but the guest cannot resolve DNS requests.

If I drop iptables on the host then the guest can lookup addresses by name.

I am at a loss of a rule to allow DNS requests to go from the guest, through the host and return to the guest after being forfilled by my ISP's DNS server.

Ideally I would like to let everything relating to the guests IP address to be forwarded throught he host to the guest. The guest can firewall itself.

I am a bit stuck with the concept on how the host and guest communicate and how the packets get picked up by the host even though they are for the guests IP address.

I believe the host has eth0 and venet0 as it's interfaces and the guest has venet0:0 as its interface (IP address assigned), venet0 has local host assigned as an address (ie. 127.0.0.1).

Any help please (info, links).

Cheers
RB

.walls · 15 Mar 2010 at 09:10

I would expect that you'll need to set up a NAT rule and masqurading. a quick google should show you how to do this, it's very well documented.

RimBlock · 15 Mar 2010 at 09:53

Thanks .walls but I would have thought NAT would be required if you had one external IP and internal IP's for the guests.

I have been searching around and have found lots of info but the problem is after reading lots of it I am not convinced it relates to the problem I have as most people seem to be using internal IP's for their guests.

Maybe it is also a case of info overload hence asking for a good, trusted guide.

Cheers
RB

.walls · 15 Mar 2010 at 18:33

You might be right about the NAT / masquerade... monday morning, etc

give us the output of iptables -L and /etc/sysconfig/iptables
(yeah, they're basically the same thing, I know)

EDIT: also the routing table of the host and ifconfig

RimBlock · 16 Mar 2010 at 05:51

Thanks .walls, I will post it up when I get home tonight after work.

I have some progress after a bit of playing around and reading tutorials....

Disable the host IPTables allows the guest DNS
Enable the host IPTables disables the guest DNS

From here I added to the /etc/sysconfig/iptables file;

-A INPUT -p tcp -sport 53 -J ACCEPT
-A INPUT -p ucp -sport 53 -J ACCEPT
-A OUTPUT -p tcp -dport 53 -J ACCEPT
-A OUTPUT -p ucp -dport 53 -J ACCEPT

Restarted iptables, no dice......
Restarted OpenVZ and DNS worked from the guest OS.

Did a iptables -L but the port 53 lines were missing..........

Removed the 4 new lines and no DNS from the guest OS
Restarted OpenVZ, no change.

From this it seems like the 4 new lines (shotgun technique) are working even though they are not being reported with iptables -L

Now the next step was to test web browsing but for that I needed to install Xwindows, Gnome and freeNX in order to remote desktop to the Guest OS and therefore invoke the XWindows for Gui tools.

I cannot connect via freeNX (ssh works fine) but I suspect this is a ssh key issue and need to allow password logins. I will test tonight.

Ok, so where to go from here.......

Still need to allow all traffic to and from the VPS guest OS.

If the input interface is eth0 and the output routing interface is venet0 then would something like the following work from a firewall point of view.....

-A FORWARD -p all -i eth0 -d [Guest ip] -J ACCEPT

ip route add [Guest IP] dev venet0

....now on doing more research today, whilst typing this reply, it has come to light that the containers venet device does not allow IPTables filtering. For this I need to set up a new interface veth[container number].0

This apparently allows full device configuration from the container (Guest OS) and firewall control.

Never simple

. I will try setting this veth device up tonight as well....

RB

RimBlock · 16 Mar 2010 at 15:35

Ok, at it stands.

Firewall down on Host and Guest

veth0 created on guest and Routes added.

Guest routing and ifconfig output

[root@container1 ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.78 * 255.255.255.255 UH 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.78 0.0.0.0 UG 0 0 0 eth0
[root@container1 ~]#
[root@container1 ~]# ip route
192.168.1.78 dev eth0 scope link
169.254.0.0/16 dev eth0 scope link
default via 192.168.1.78 dev eth0
[root@container1 ~]#
[root@container1 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:18:51:A8:9B:67
inet addr:192.168.1.105 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::218:51ff:fea8:9b67/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:330 errors:0 dropped:0 overruns:0 frame:0
TX packets:590 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:32792 (32.0 KiB) TX bytes:62552 (61.0 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

[root@container1 ~]#

Host details

[root@ronin-vbox ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.105 * 255.255.255.255 UH 0 0 0 veth1001.0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default menu 0.0.0.0 UG 0 0 0 eth0
[root@ronin-vbox ~]#
[root@ronin-vbox ~]# ip route
192.168.1.105 dev veth1001.0 scope link
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.78
169.254.0.0/16 dev eth0 scope link
default via 192.168.1.254 dev eth0
[root@ronin-vbox ~]#
[root@ronin-vbox ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:4E:92:EA
inet addr:192.168.1.78 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe4e:92ea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:104541 errors:0 dropped:0 overruns:0 frame:0
TX packets:61636 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11432615 (10.9 MiB) TX bytes:32929034 (31.4 MiB)
Base address:0xd010 Memory:f0000000-f0020000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:96224 errors:0 dropped:0 overruns:0 frame:0
TX packets:96224 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:37305664 (35.5 MiB) TX bytes:37305664 (35.5 MiB)

veth1001.0 Link encap:Ethernet HWaddr 00:18:51:E6:40:FC
inet6 addr: fe80::218:51ff:fee6:40fc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:602 errors:0 dropped:0 overruns:0 frame:0
TX packets:349 errors:0 dropped:9 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:64696 (63.1 KiB) TX bytes:34052 (33.2 KiB)

[root@ronin-vbox ~]#

I can ssh between the Host and Guest. I can browse the internet on the Host. I cannot get past the host or resolve any DNS from the Guest.

I suspect that this maybe because the network routers (ie my internet gateway) does not know to send the packets back to the Host machine in order for them to get to the Guest machine.

Would appreciate view on this though as I am loosing enough hair as it is without this issue

.

Oh and yes the addresses are internal private l am as I am simulating work I need to do shortly at home.

Many thanks
RB

RimBlock · 17 Mar 2010 at 16:07

Ok,

I have finally got the network up and running using a bridge.

The HowTo guides on the OpenVZ site seem to have bits missing though so I had to mix and match from a few different ones to get it working.

I will look at the firewall issues again tomorrow

.

Oh, if anyone is interested in how it can be done just shout and I will post my routing rules and ifconfig details along with links to the guides I used.

RB

.walls · 17 Mar 2010 at 17:08

Sorry about not responding - I'm working away from home at the moment and have very limited internet access.

If you're still having issues at the weekend.... I might be able to help then!

RimBlock · 18 Mar 2010 at 01:31

Np .walls,

I may have spoken a little too soon.

Connectivity seems ok from the Guest system but sshing in is giving pauses of upto 60 seconds before seeing what I have typed.

Downloading and installing freeNX, Xwindows and Gnome went pretty fast and without an issue though. Still need to sort out my DSA keys for FreeNX so I can remote desktop to the Guest. This already works for the Host.

I recall reading somewhere about paused on veth0 so I will try and find the article and dig a bit deeper.

Oh and I have an external drive connected via e-sata so I may try installing on that to take the whole virtual box situation out of the equation.

Cheers
RB

RimBlock · 18 Mar 2010 at 03:19

Ok, I think I will be doing a system resource check as according to the Wiki here, the i386 CentOS (or other 32bit dist) may have issues if there is not enough low memory resulting in hangs etc when swapping to disk.

The Guest is running CentOS i386 5.4 due to the issues still with some 64bit Linux tools and the VPS's unlikely hood to need very large memory (for a VPS)

The Virtual Box only has 1GB allocated (out of 4) for it's guest (the CentOS 64bit Host for the 32bit Guest with the issues).

There is no stuttering / hangs with the Host. I am connecting to both via Putty. Running non interactive tasks on the Guest (yum package install for example) did not cause processes to pause although the screen updates via the ssh putty session would pause every now and then.

I may also create another container with the 64bit CentOS 5.4 template and see if it has the same issues.

Cheers
RB