Step-by-step NAT iptables problem?

Discussion in 'HOWTO-Related Questions' started by zenny, Nov 27, 2006.

  1. zenny

    zenny Member

    I am trying to make the Hardware Node of the OpenVZ machine (based on Centos4.4 minimal) as the nat+router+firewall for the OpenVZ Virtual Environments (VE) as well as the network.

    I followed Mr. Ganesh's Mini-tutorial (, but I am stuck somewhere. Before I explain the problem, let me explain how my network looks like:

    DSL Modem-->OpenVZ machine of which I would like to make the HN as the nat+router+firewall with two ethernet cards and static public IP-->>wireless router (jensen airlink 6754)-->>simultaneously connected to the voipserver, other servers and network.

    The OpenVZ hardware node could reach the Internet via eth0. The local machines could also access the wireless router wired and wirelessly. The local clients could also ping the eth1 gw. But the problem is pinging anything to the internet like ping does not work.

    What could be the problem? The reason of my network architecture is that I have a single public IP and I would like to make several host machines behind my firewall to give access from outside my network.

    Thank you.
    Last edited: Nov 27, 2006
  2. zenny

    zenny Member

    After changing my router from gateway mode to bridge mode, I have also assigned the same range of IP to the eth1 ( as the router has an internal IP of, and now the gateway computer can ping the router and client machines connected to the router. But what the client machines (connected to the router-->eth1 of the gateway machine-->eth0 in the gateway machine-->internet) still could not access internet. Please help.
  3. zenny

    zenny Member

    I tried and could make the router talk to the gateway machine (of which the HN would be serving as the nat+router+firewall) which hosts OpenVZ. The gateway machine and the other machines connected to physcial router could reach other. But the problem is the router and the local network behind refuses to conenct to the internet.

    Help solicited and thanks in advance.
  4. falko

    falko Super Moderator ISPConfig Developer

    What are the outputs of
    ping -c2
    ping -c2
  5. zenny

    zenny Member

    Thanks Falko (Extremely Helpful Gentleman):

    But I solved the problem by using shorewall with three-interface cards. This tutorial ( and the entire shrewall documentation was proved to be extremely helpful!

    Now, my network has a DMZ (eth2), LOC (eth1) with another gateway for the LOC in a different subnet, and eth0 for FW and GW to internet.

    However, I may need to customize my needs in the firewall. I know that I need to execute some iptables command like below to make the VPSes inside the Gateway computer (I used the Host Node of the OpenVz as the firewall+router and has three VPS as guests):

    #iptables -t nat -A POSTROUTING -s VPS_IP_Range -o eth0 -j SNAT --to GW_IP
    #iptables -t nat -A PREROUTING -p tcp -d GW_IP --dport port_number -i eth0 -j DNAT --to-destination VPS_IP:destination_port_number

    How can this be achieved in the shorewall? In case I execute the above commands using iptables will they conflict? Thanks.
  6. falko

    falko Super Moderator ISPConfig Developer

    Most likely yes. There must be a shorewall configuration file somewhere, I think.

Share This Page