[Users] iptables not working in VE (kernel 2.6.24-6-fza-686)
Adem
for-gmane at alicewho.com
Thu Nov 20 22:45:26 EST 2008
I'm using for both the host OS (HN) and guest OS (VE) the same
OS (Debian 5 aka Lenny); both are updated, upgraded and dist-upgraded,
ie. they both are uptodate with the latest official release.
The problem is: iptables does not work in the VE.
For example the following firewall script excerpt does work well
in the HN, but fails in the VE (gives error "iptables: Invalid argument"):
...
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
exit 0 # the error happens in the previous line
...
It seems it doesn't understand either "-m" (match) or "state",
although all required iptable modules seem to be loaded in both HN and VE:
This is the VE, entered in 'goebbels mode' :-) :
goebbels:~/cfg# cat /proc/net/ip_tables_matches
connlimit
helper
conntrack
length
ttl
tcpmss
multiport
multiport
limit
tos
udplite
udp
tcp
recent
state
icmp
goebbels:~/cfg#
This is the HN:
comp115:~/cfg# cat /proc/net/ip_tables_matches
connlimit
helper
conntrack
length
ttl
tcpmss
multiport
multiport
limit
tos
udplite
udp
tcp
recent
state
icmp
comp115:~/cfg#
My IPTABLES setting in /etc/vz/vz.conf on the HN:
IPTABLES="ip_tables ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter \
iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip_conntrack \
ip_conntrack_ftp ip_conntrack_irc ipt_LOG ipt_conntrack ipt_helper ipt_state \
xt_connlimit ipt_recent iptable_nat ip_nat_ftp ip_nat_irc ipt_TOS "
uname -a on HN:
comp115:~/cfg# uname -a
Linux comp115 2.6.24-6-fza-686 #1 SMP Mon May 19 06:30:48 UTC 2008 i686 GNU/Linux
uname -a on VE:
goebbels:~/cfg# uname -a
Linux goebbels 2.6.24-6-fza-686 #1 SMP Mon May 19 06:30:48 UTC 2008 i686 GNU/Linux
Is it maybe because I'm logged in in 'goebbels mode'?
More information about the Users
mailing list