Karmic iptables missing kernel moduyles on OpenVZ container

Question

After an unsuccessful p2v migration of my Ubuntu server to an OpenVZ container which I am stack with I thought I would give a try to a reinstall based on a clean OpenVZ template for Ubuntu 9.10 (from the OpenVZ wiki)

When I try to load my iptables rules on the VM machine I've been getting errors which I believe are related to kernel modules not being loaded on the VM from the /vz/XXX.conf template model.

I've been testing with a few post I've found but I was stack with the error:

WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
FATAL: Could not load /lib/modules/2.6.24-10-pve/modules.dep: No such file or directory
iptables-restore v1.4.4: iptables-restore: unable to initialize table 'raw'

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

I read about the template not loading all iptables modules so I added modules to the XXX.conf of the VZ virtual machine like this:

IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc"

As the error remained I read that I should build dependencies again on the virtual machine:

depmod -a but this returned an error:

WARNING: Couldn't open directory /lib/modules/2.6.24-10-pve: No such file or directory
FATAL: Could not open /lib/modules/2.6.24-10-pve/modules.dep.temp for writing: No such file or directory

So I read again about creating the directory empty and redoing "depmod -a" it.

I now don't get the dependancies error but get this and I don't have a clue how to proceed:

WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
FATAL: Module ip_tables not found.
iptables-restore v1.4.4: iptables-restore: unable to initialize table 'raw'

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

I understand that iptables rules have to be different on the VM machine and perhaps some of the rules we are trying to apply (from our physical server) are not compatible but these are just source IP and destination port checks that I would like to be able to have available . I've heard that on the CentOS template there are no issues with this, so I understand is to do with VM config.

Any help would be greatly appreciated.

Answer 1

I had been asking the same question once upone a time :) It turned out as it seems that you need at least 2.6.32-ovz for RAW inside VEs.

Answer 2

Not a direct answer, but for my openvz machines I put of my iptables rules on the host machine. Then they are in one place and everyting has to go thorugh the host anyways. You might find this easier and cleaner (but maybe not).

Answer 3

According to this article there is a little set up required on the host node. (The text below is mostly from the article, but is not block quoted so as to make it more readable.)

First the host node should forward all traffic. The following commands make the default FORWARD action be ACCEPT, and then flushes all rules on the FORWARD chain.

iptables -P FORWARD ACCEPT
iptables -F FORWARD

If you want to use a firewall inside a container, please load these modules BEFORE starting the container:

modprobe xt_tcpudp
modprobe ip_conntrack

If you do not, you will get an error like this: "iptables: No chain/target/match by that name"

If you want to use stateful firewall rules (and you should!) you will also need to make sure that 'ipt_state' is in the 'IPTABLES' option in your vz.conf file:

IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state"

Also make sure the 'xt_state' module is loaded on the host:

modprobe xt_state