vr_nat4 - OpenNebula/one-apps GitHub Wiki

NAT4

Use this mode when the VMs behind the Virtual Router have private IP addresses, and your goal is to enable their internet access through the Virtual Router. This feature enables MASQUERADE in the POSTROUTING iptables chain.

The following figure depicts the basic LAN topology assumed by the module:

            public Network
      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
   β”Œβ”€β”€β”΄β”€β” (*) NAT
β”Œβ”€β”€β”€eth0β”œβ”€β”€β”
β”‚  β””β”€β”€β”€β”€β”˜  β”‚
β”‚  Virtual β”‚
β”‚  Router  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”  β”‚
└───eth1β”œβ”€β”€β”˜
   β””β”€β”¬β”€β”€β”˜
     β”‚   private network (e.g. 192.168.0.0/24)
     └────┬───────────┬────────────┬──────────
       β”Œβ”€β”€β”΄β”€β”€β”     β”Œβ”€β”€β”΄β”€β”€β”      β”Œβ”€β”€β”΄β”€β”€β”
       β”‚ VM1 β”‚     β”‚ VM2 β”‚      β”‚ VM3 β”‚
       β””β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”˜      β””β”€β”€β”€β”€β”€β”˜

Virtual Router Configuration

The following attributes control the basic configuration for NAT'ing:

  • ONEAPP_VNF_NAT4_ENABLED to activate the module
  • ONEAPP_VNF_NAT4_INTERFACES_OUT defines the public interface

For example, for the example above simply add:

CONTEXT = [
  ...
  ONEAPP_VNF_NAT4_ENABLED        = "YES",
  ONEAPP_VNF_NAT4_INTERFACES_OUT = "eth0",
  ...
]

Gives:

$ iptables -t nat -vnL NAT4-MASQ
Chain NAT4-MASQ (1 references)
 pkts bytes target     prot opt in     out     source               destination
  782 47944 MASQUERADE  0    --  *      eth0    0.0.0.0/0            0.0.0.0/0

Static, DNAT-based port-forwarding

You can define static DNAT port-forwarding rules for the NAT4 module, for example:

CONTEXT = [
  ...
  ONEAPP_VNF_NAT4_PORT_FWD0 = "1.2.3.4:1234:10.11.12.13:4321",
  ONEAPP_VNF_NAT4_PORT_FWD1 = "5.6.7.8:1234:10.11.12.13",
  ONEAPP_VNF_NAT4_PORT_FWD2 = "1234:10.11.12.13:4321",
  ONEAPP_VNF_NAT4_PORT_FWD3 = "2345:10.11.12.13",
  ONEAPP_VNF_NAT4_PORT_FWD4 = "<ETH0_EP0>:1234:10.11.12.13:4321",
  ONEAPP_VNF_NAT4_PORT_FWD5 = "<ETH1_EP0>:4321:10.11.12.13",
  ...
]

The syntax is similar to ssh -L local forwarding, i.e. old_dest:old_port:new_dest:new_port, where old_dest and new_port are optional.

Note

You can use <ETHx_IPy>, <ETHx_EPy> and <ETHx_VIPy> to interpolate the value for old_dest.

Important

The mappings are defined in the PREROUTING chain in iptables for both TCP and UDP protocols.

Context Configuration Attributes

Parameter Default Description
ONEAPP_VNF_NAT4_ENABLED NO Enable/Disable NAT feature (YES/NO)
ONEAPP_VNF_NAT4_INTERFACES_OUT no NICs Mandatory: Outgoing NICs for NAT (<[!]ethX> ...)
ONEAPP_VNF_NAT4_PORT_FWD[0-9] undefined Define a static DNAT mapping (old_dest:old_port:new_dest:new_port).
⚠️ **GitHub.com Fallback** ⚠️