How to configure NAT with iptables on a VPS.

NAT ( network-address-translation ) with iptables  helps us in how to select the packets we want to mangle. We can easily configure NAT on a OpenVZ VPS by following the below steps.

Lets first consider a VPS in which NAT is not enabled. Trying to POSTROUTE from VPS throws you errors.

iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o venet0 -j SNAT –to 111.140.170.134

or iptables -t nat -nvL

iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

To Enable NAT :

* Login to Node server.

Check vzcinfiguration file to find whether NAT is enabled or not.

grep -i iptables /etc/vz/vz.conf

You will get

## IPv4 iptables kernel modules
IPTABLES=”ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length”

Add NAT to the configuration file.

vi /etc/vz/vz.conf

insert ‘iptable_nat’ on to the iptables modules.

## IPv4 iptables kernel modules

IPTABLES=”iptable_nat ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length”

Check NAT is loaded or not,

lsmod | grep nat

================================
[root@node ~]# lsmod | grep nat
iptable_nat            43404  3
ip_nat                 53520  2 iptable_nat,vzrst
ip_conntrack          101396  6 iptable_nat,vzrst,ip_nat,vzcpt
nfnetlink              40392  2 ip_nat,ip_conntrack
ip_tables              57440  3 iptable_nat,iptable_mangle,iptable_filter
x_tables               52744  11 iptable_nat,xt_tcpudp,xt_length,ipt_ttl,xt_tcpmss,ipt_TCPMSS,xt_multiport,xt_limit,ipt_tos,ipt_REJECT,ip_tables

================================

* Now save the paraments for the VPS to which NAT has to be enabled.

from node :

vzctl set VZID –iptables “iptable_nat iptable_filter iptable_mangle ip_conntrack ipt_conntrack ipt_REDIRECT ipt_REJECT ipt_multiport ipt_helper ipt_LOG ipt_state” –save

VZID is VPS ID, replace it with the correct one.

* Restart VPS

vzctl restart VZID

* Enter into the VPS

vzctl enter VZID

* Check for NAT

iptables -t nat -nvL

===================
[root@vz ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 2 packets, 88 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1 packets, 72 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 SNAT       all  –  *      venet0  10.9.0.0/24          0.0.0.0/0           to:111.140.170.134
0     0 SNAT       all  –  *      venet0  10.8.0.0/24          0.0.0.0/0           to:111.140.170.134
0     0 SNAT       all  –  *      venet0  10.9.0.0/24          0.0.0.0/0           to:111.140.170.134

Chain OUTPUT (policy ACCEPT 1 packets, 72 bytes)
pkts bytes target     prot opt in     out     source               destination
===================

*Test whether you are able to postroute the packets on VPS.

iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o venet0 -j SNAT –to 111.140.170.134

It should work.

6 thoughts on “How to configure NAT with iptables on a VPS.

  1. Well when i was thinking “this is it” my node thinks other way: “Bad parameter for -i : ptables”
    Not even echo iptables, just like that -i : tables
    I know is not much of a lead for troublesoot but any ideas?
    the node is running proxmox 1.7

    Thanks

  2. Thanks you very much for clearing this up.
    I thought I was doing something wrong but apparently its my service provider’s territory…as the node server is managed by hosting providers.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>