masquerade error

masquerade error

[J Webster]

I am trying to add forwarding rules for openvpn but I get an unknown
error on my virtual server.

Also, after running the command lines, none of the additions are
entered into the iptables script.

[root@vps8259 myscripts]# echo 1>  /proc/sys/net/ipv4/ip_forward
[root@vps8259 myscripts]# iptables -A FORWARD -m state --state  RELATED,ESTABLISHED -j ACCEPT
[root@vps8259 myscripts]# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
[root@vps8259 openvpn]# iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT
[root@vps8259 openvpn]# iptables -A FORWARD -j REJECT
[root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -o venet0 -j MASQUERADE
iptables: Unknown error 4294967295
[root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -o venet0 -j MASQUERADE
iptables: Unknown error 4294967295
  		 	   		

Re: masquerade error

[Jan Sarenik]

Hi J!

On Tue, Oct 11, 2011 at 08:01:12AM +0100, J Webster wrote:
> Also, after running the command lines, none of the additions are
> entered into the iptables script.

The commands are not changing any script, only the current in-kernel
tables. To save the changes, use "iptables-save" command, but your
distribution may have a designated mechanism like
"/etc/init.d/iptables save" - you have to find out, or reply with
the name of your distribution.

> [root@vps8259 myscripts]# echo 1>  /proc/sys/net/ipv4/ip_forward
> [root@vps8259 myscripts]# iptables -A FORWARD -m state --state  RELATED,ESTABLISHED -j ACCEPT
> [root@vps8259 myscripts]# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
> [root@vps8259 openvpn]# iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT
> [root@vps8259 openvpn]# iptables -A FORWARD -j REJECT

All the above commands look good.

> [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -o venet0 -j MASQUERADE
> iptables: Unknown error 4294967295
> [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -o venet0 -j MASQUERADE
> iptables: Unknown error 4294967295

The problem here may be venet0 interface. As far as I know, there is no
support for "nat" tables on OpenVZ virtual network interfaces.

  Best regards, Ján

Re: masquerade error

[J Webster]

>  The problem here may be venet0 interface. As far as I know, there is no
>  support for "nat" tables on OpenVZ virtual network interfaces.

Thanks. If that is the case, then how do I postroute on a virtual network?

>  [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -o venet0 -j MASQUERADE
>  iptables: Unknown error 4294967295
>  [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -o venet0 -j MASQUERADE
>  iptables: Unknown error 4294967295
  

Re: masquerade error

[J Webster]

>  The problem here may be venet0 interface. As far as I know, there is no
>  support for "nat" tables on OpenVZ virtual network interfaces.

Thanks. If that is the case, then how do I postroute on a virtual network?

  [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  
-o venet0 -j MASQUERADE
  iptables: Unknown error 4294967295
  [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  
-o venet0 -j MASQUERADE
  iptables: Unknown error 4294967295

Re: masquerade error

[Jan Sarenik]

Hi J!

On Wed, Oct 12, 2011 at 07:18:10PM +0100, J Webster wrote:
> Thanks. If that is the case, then how do I postroute on a virtual network?

According to http://forum.openvz.org/index.php?t=msg&goto=42693&
you have to enable iptable_nat on host.

The error you are getting is anyway strange and I suppose it
can be a version mismatch between host kernel and guest iptables
(either too recent or too old iptables on your virtual node).

  HTH, Jasan

Re: masquerade error

[J Webster]

The hosting company have told me that masquerade is not activated:

MASQUERADE target isn\'t activate on your VPS.
You can use SNAT or DNAT target in nat tables.

So, how can I use SNAT and DNAT to route the traffic to my OpenVPN?

[root@vps8259 myscripts]# echo 1>   /proc/sys/net/ipv4/ip_forward
[root@vps8259 myscripts]# iptables -A FORWARD -m state --state  RELATED,ESTABLISHED -j ACCEPT
[root@vps8259 myscripts]# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
[root@vps8259 openvpn]# iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT
[root@vps8259 openvpn]# iptables -A FORWARD -j REJECT
[root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -o venet0 -j MASQUERADE
iptables: Unknown error 4294967295
[root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -o venet0 -j MASQUERADE
iptables: Unknown error 4294967295




On 12/10/11 19:18, J Webster wrote:
>>  The problem here may be venet0 interface. As far as I know, there is no
>>  support for "nat" tables on OpenVZ virtual network interfaces.
>
> Thanks. If that is the case, then how do I postroute on a virtual 
> network?
>
>  [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 
> 10.8.0.0/24  -o venet0 -j MASQUERADE
>  iptables: Unknown error 4294967295
>  [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 
> 10.8.0.0/24  -o venet0 -j MASQUERADE
>  iptables: Unknown error 4294967295

Re: masquerade error

[Rob Sterenborg (lists)]

On Fri, 2011-10-14 at 08:34 +0100, J Webster wrote:
> The hosting company have told me that masquerade is not activated:
> 
> MASQUERADE target isn\'t activate on your VPS.
> You can use SNAT or DNAT target in nat tables.
> 
> So, how can I use SNAT and DNAT to route the traffic to my OpenVPN?

-j SNAT --to-source <internet_ip>
-j DNAT --to-destination <internal_ip>

Please check the SNAT and DNAT targets with 'man iptables' for the
details.


--
Rob


> [root@vps8259 myscripts]# echo 1>   /proc/sys/net/ipv4/ip_forward
> [root@vps8259 myscripts]# iptables -A FORWARD -m state --state  RELATED,ESTABLISHED -j ACCEPT
> [root@vps8259 myscripts]# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
> [root@vps8259 openvpn]# iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT
> [root@vps8259 openvpn]# iptables -A FORWARD -j REJECT
> [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -o venet0 -j MASQUERADE
> iptables: Unknown error 4294967295
> [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -o venet0 -j MASQUERADE
> iptables: Unknown error 4294967295
> 
> 
> 
> 
> On 12/10/11 19:18, J Webster wrote:
> >>  The problem here may be venet0 interface. As far as I know, there is no
> >>  support for "nat" tables on OpenVZ virtual network interfaces.
> >
> > Thanks. If that is the case, then how do I postroute on a virtual 
> > network?
> >
> >  [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 
> > 10.8.0.0/24  -o venet0 -j MASQUERADE
> >  iptables: Unknown error 4294967295
> >  [root@vps8259 openvpn]# iptables -t nat -A POSTROUTING -s 
> > 10.8.0.0/24  -o venet0 -j MASQUERADE
> >  iptables: Unknown error 4294967295
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: masquerade error

[Rob Sterenborg (lists)]

On Fri, 2011-10-14 at 10:55 +0200, Rob Sterenborg (lists) wrote:
> On Fri, 2011-10-14 at 08:34 +0100, J Webster wrote:
> > The hosting company have told me that masquerade is not activated:
> > 
> > MASQUERADE target isn\'t activate on your VPS.
> > You can use SNAT or DNAT target in nat tables.
> > 
> > So, how can I use SNAT and DNAT to route the traffic to my OpenVPN?
> 
> -j SNAT --to-source <internet_ip>

To reply to self.. a better description here would be <external_ip>.

> -j DNAT --to-destination <internal_ip>
> 
> Please check the SNAT and DNAT targets with 'man iptables' for the
> details.
> 
> 
> --
> Rob

Re: masquerade error

[J Webster]

The problem is that the connection comes from a VPN client so I do not 
usually know the external IP.
All I know is that they connect on the tun/vpn networks of 10.8.0.0/24 
and 172.16.0.0/24.
In the mangle section do I put:
*mangle
:PREROUTING ACCEPT [19588:10233482]
:INPUT ACCEPT [19588:10233482]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18858:10334564]
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o venet0 -j SNAT --to-source 
xxx.xxx.xxx.xxx
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o venet0 -j SNAT --to-source 
xxx.xxx.xxx.xxx
:POSTROUTING ACCEPT [18858:10334564]
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18851:10333352]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8002 -m state --state NEW 
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9001 -m state --state NEW 
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -m state --state 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [1234:59200]
:POSTROUTING ACCEPT [338:21268]
:OUTPUT ACCEPT [338:21268]
COMMIT
 >
 >
 >
 > ow can I use SNAT and DNAT to route the traffic to my OpenVPN?
 >>> -j SNAT --to-source <internet_ip>
 >> To reply to self.. a better description here would be <external_ip>.
 >>
 >>> -j DNAT --to-destination <internal_ip>
 >>>
 >>> Please check the SNAT and DNAT targets with 'man iptables' for the
 >>> details.
 >>>
 >>>
 >>> --
 >>> Rob

Re: masquerade error

[Rob Sterenborg (lists)]

On Fri, 2011-10-14 at 10:57 +0100, J Webster wrote:
> The problem is that the connection comes from a VPN client so I do not 
> usually know the external IP.

Yes, well, if MASQUERADE is disabled and you can only use SNAT but you
don't know the --to address, then it may not be possible to do what you
want because you can't create a valid rule. Maybe someone else has a
better idea or the VPS provider can shed some more light.

> All I know is that they connect on the tun/vpn networks of 10.8.0.0/24 
> and 172.16.0.0/24.
> In the mangle section do I put:
> *mangle
> :PREROUTING ACCEPT [19588:10233482]
> :INPUT ACCEPT [19588:10233482]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [18858:10334564]
> -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o venet0 -j SNAT --to-source 
> xxx.xxx.xxx.xxx
> -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o venet0 -j SNAT --to-source 
> xxx.xxx.xxx.xxx
> :POSTROUTING ACCEPT [18858:10334564]
> COMMIT

Did you actually check 'man iptables'? Because the man says:

'SNAT    This  target  is only valid in the nat table, in the
POSTROUTING chain.'

Unless there's something missing (or I'm missing something) in the
above, you're trying to use the mangle table to do NAT.

> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [18851:10333352]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -m state --state NEW -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8002 -m state --state NEW 
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9001 -m state --state NEW 
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -m state --state 
> NEW,RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 1194 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> *nat
> :PREROUTING ACCEPT [1234:59200]
> :POSTROUTING ACCEPT [338:21268]
> :OUTPUT ACCEPT [338:21268]
> COMMIT


--
Rob

Re: masquerade error

[J Webster]

Thanks - I will swap those around for the moment and try some things.
For reference, in case there are any obvious problems, my ifconfig, 
route, iptbales, and openvpn.coinf are here:

[B]IFCONFIG:[/B]
[root@vps8259 ~]# ifconfig
lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:319 errors:0 dropped:0 overruns:0 frame:0
           TX packets:319 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:39513 (38.5 KiB)  TX bytes:39513 (38.5 KiB)

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:172.16.0.1  P-t-P:172.16.0.2  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1460  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tun1      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

venet0    Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  
Mask:255.255.255.255
           UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
           RX packets:147594 errors:0 dropped:0 overruns:0 frame:0
           TX packets:148686 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:89417786 (85.2 MiB)  TX bytes:82468044 (78.6 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:192.xxx.xx.xx  P-t-P:192.xxx.xx.xx  
Bcast:192.xxx.xx.xx  Mask:255.255.255.255
           UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1


[B]OPENVPN.CONF[/B] (I have a udp service also but one thing at a time)

port 1194
proto tcp
dev tun
;crl-verify /etc/openvpn/easy-rsa/crl.pem
client-config-dir /etc/openvpn/ccd
ca /etc/openvpn/easy-rsa/ca.crt
cert /etc/openvpn/easy-rsa/ovpnsrv1.crt
key /etc/openvpn/easy-rsa/ovpnsrv1.key
dh /etc/openvpn/easy-rsa/dh1024.pem
server 172.16.0.0 255.255.255.0
push "redirect-gateway"
push "dhcp-option DNS 213.171.192.249"
push "dhcp-option DNS 213.171.192.245"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
tun-mtu 1460
persist-key
persist-tun
status openvpn-status.log
verb 3
;duplicate-cn # (this means several users can use the same key)
log /var/log/openvpn.log


[B]IPTABLES[/B]

# Generated by iptables-save v1.3.5 on Fri Sep 16 04:59:49 2011
*mangle
:PREROUTING ACCEPT [19588:10233482]
:INPUT ACCEPT [19588:10233482]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18858:10334564]
#-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o venet0 -j SNAT --to-source 
192.xxx.xx.xx
#-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o venet0 -j SNAT 
--to-source 192.xxx.xx.xx
:POSTROUTING ACCEPT [18858:10334564]
COMMIT
# Completed on Fri Sep 16 04:59:49 2011
# Generated by iptables-save v1.3.5 on Fri Sep 16 04:59:49 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18851:10333352]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8002 -m state --state NEW 
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9001 -m state --state NEW 
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -m state --state 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Sep 16 04:59:49 2011
# Generated by iptables-save v1.3.5 on Fri Sep 16 04:59:49 2011
*nat
:PREROUTING ACCEPT [1234:59200]
:POSTROUTING ACCEPT [338:21268]
:OUTPUT ACCEPT [338:21268]
COMMIT
# Completed on Fri Sep 16 04:59:49 2011


[B]ROUTE[/B]

[root@vps8259 openvpn]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
172.16.0.2      *               255.255.255.255 UH    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun1
172.16.0.0      172.16.0.2      255.255.255.0   UG    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun1
192.0.2.0       *               255.255.255.0   U     0      0        0 
venet0
169.254.0.0     *               255.255.0.0     U     0      0        0 
venet0
default         192.0.2.1       0.0.0.0         UG    0      0        0 
venet0