-1

I followed this guide

IPTABLES inside container guide @ openvz.org

I'm running Debian 7 Wheezy x64 which was dist-updgrade'd before installing OpenVZ. The container is Debian7 x64 minimal.

It's working really well except now I need to have some IPTABLES rules inside one of my containers (VM's).

I tried to load the module on the host node like this:

root@baremetal-openvz-hostnode:~# modprobe xt_tcpudp

And got this error:

libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-openvz-042stab093.5-amd64/modules.builtin.bin'

FATAL: Module xt_tcpudp not found.

root@baremetal-openvz-hostnode:~# ls /lib/modules/uname -r/kernel/net/netfilter | grep xt_tcp

xt_tcpmss.ko

The other two modules mentioned in the guide (linked above) loaded without issues.

The reason I need the xt_tcpudp module

I'm trying to set these IPTABLES rules inside the container:

iptables -A OUTPUT -o ppp0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

I get these errors (the above mentioned guide says they occur because the kernel module is missing)

iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

===========

user1862165
  • 91
  • 1
  • 11
  • I hate OpenVZ (the current 2.6.x version, anyway) with a passion, but this is still a reasonable question. – Michael Hampton Oct 12 '14 at 13:12
  • okay, thanks for moderating. BTW I'm new to OpenVZ and I love it. Maybe it's because I'm using it on a Debian hostnode. I tried to install CentOS 6.5 for hours and it was an epic fail. OpenVZ on Debian has been a breeze, aside from my lack of familiarity with OVZ and various other general things I've needed to setup. I've used KVM before but it can't provide what I need for my current project. Every tool has it's pros and cons. – user1862165 Oct 14 '14 at 14:46

1 Answers1

4

Okay, it turns out that most information that one will find by doing google searches about using iptables inside OpenVZ VM's is obsolete

I solved the issue by doing the following:

Load all IPTABLES modules on the host node (I may remove some after this)

Inside /etc/vz/vz.conf:

IPTABLES_MODULES="iptable_filter, iptable_mangle, ipt_limit, ipt_multiport, ipt_tos, ipt_TOS, ipt_REJECT, ipt_TCPMSS, ipt_tcpmss, ipt_ttl, ipt_LOG, ipt_length, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, ipt_conntrack, ipt_state, ipt_helper, iptable_nat, ip_nat_ftp, ip_nat_irc, ipt_REDIRECT, xt_mac, ipt_recent, ipt_owner"

(Note that the old parameter IPTABLES= is obsolete)

Restart OpenVZ

root@baremetal-openvz-hostnode:~# /etc/init.d/vz restart

Enable all of the netfilters (new keyword) on the container:

root@baremetal-openvz-hostnode:~# vzctl set 1234 --netfilter full --save

root@baremetal-openvz-hostnode:~# vzctl restart 1234

Alrighty.

Here are the relevant docs:

  1. The new list of IPTABLES netfilter module names.
  2. The new OpenVZ global parameters
user1862165
  • 91
  • 1
  • 11
  • Please note that the [official OpenVZ documentation page](http://openvz.org/Setting_up_an_iptables_firewall#Setting_up_a_firewall_that_allows_per-container_configuration) that I linked in my question is obsolete as well. Firstly it says it's necessary to load the xt_tcpudp kernel module (that was not possible using the latest software) and also it recommends using the `IPTABLES=` global parameter that is also obsolete. – user1862165 Oct 12 '14 at 13:05