iptables MASQUERADE and MARK
Kelvin Raywood <kray@...
2010-07-05 22:55:25 GMT
We're using OpenVZ to host firewalls for multiple VLANs and it's working
out really well in the cases where we write the iptables rules
ourselves. We add the network interface of each VLAN directly to a VPS
and use a bridge on the other side.
For some VLANs, we want to use iptables rules generated by some other
software. One of these use both ipt_MASQUERADE and ipt_MARK. It
seems as though MASQUERADE is now working in
ovzkernel-2.6.18-194.3.1.el5.028stab069.6 although vzctl-3.0.24-1
doesn't recognize it. However, ipt_MARK is not OpenVZ-ised so we have to
run a couple of separate stand-alone non-OpenVZ boxes for the VLANs that
use this software. Unfortunately, the software is not easily hackable
making one box per VLAN necessary.
I searched the OpenVZ bugzilla but couldn't find any entries for
ipt_MARK. Does anyone know if this module will be OpenVZ-ised in some
future kernel ?
If not, I'll add a feature request.
BTW, the message quoted below did not receive a response on the list but
I confirm that MASQUERADE is now virtualized but the tools don't yet
know. So you have to use some non-OpenVZ method to ensure that it gets
loaded. On CentOS-5, I drop short scripts in /etc/sysconfig/modules/ to
ensure that various modules are loaded.