Due to the update of vzctl from 4.6 to 4.7 they changed the setting of nf_conntrack to be disabled by default. (https://openvz.org/Download/vzctl/4.7/changes)
Corresponding commit message:
…
Disable conntrack for VE0 by default
IP conntrack functionality has some negative impact on venet performance (uo to about 10%), so they better be disabled by default.
…
(Source: http://git.openvz.org/?p=vzctl;a=commit;h=a191a462579ee)
Solution:
In dependence of distribution it is somewhere in /etc directory. Find it:
$ sudo grep -R “options nf_conntrack ip_conntrack_disable_ve0=1” /etc/modprobe.d/
and replace the “1” with “0”:
options nf_conntrack ip_conntrack_disable_ve0=0
reboot your system
(Source: https://bugzilla.openvz.org/show_bug.cgi?id=2943#c5)
Alternatively to rebooting:
rmmod iptable_nat
rmmod nf_nat
rmmod nf_conntrack_ipv4
rmmod nf_conntrack
And nat now working
All sources:
Changelog for vzctl 4.7: https://openvz.org/Download/vzctl/4.7/changes
Bug report with solution in comments: https://bugzilla.openvz.org/show_bug.cgi?id=2943
Bug report with shortened solution description: https://bugzilla.openvz.org/show_bug.cgi?id=2755#c4
Corresponding GIT commit: http://git.openvz.org/?p=vzctl;a=commit;h=a191a462579ee
Related Wiki article: https://openvz.org/NAT#IP_conntracks