[Users] Re: iptables not working in VE (kernel 2.6.24-6-fza-686)
Aleksandar Ivanisevic
aleksandar at ivanisevic.de
Fri Nov 21 07:41:21 EST 2008
"Adem" <for-gmane at alicewho.com> writes:
> I'm using for both the host OS (HN) and guest OS (VE) the same
> OS (Debian 5 aka Lenny); both are updated, upgraded and dist-upgraded,
> ie. they both are uptodate with the latest official release.
> The problem is: iptables does not work in the VE.
> For example the following firewall script excerpt does work well
> in the HN, but fails in the VE (gives error "iptables: Invalid argument"):
>
> ...
> /sbin/iptables -F
> /sbin/iptables -X
> /sbin/iptables -Z
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> exit 0 # the error happens in the previous line
> ...
>
> It seems it doesn't understand either "-m" (match) or "state",
> although all required iptable modules seem to be loaded in both HN
> and VE:
[...]
> My IPTABLES setting in /etc/vz/vz.conf on the HN:
> IPTABLES="ip_tables ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter \
> iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip_conntrack \
> ip_conntrack_ftp ip_conntrack_irc ipt_LOG ipt_conntrack ipt_helper ipt_state \
> xt_connlimit ipt_recent iptable_nat ip_nat_ftp
> ip_nat_irc ipt_TOS "
Are you sure you restarted the container after changing this line?
Also, modules need to be loaded in the host if you want them to work in
VEs. What does lsmod | grep ip_ on the host say?
More information about the Users
mailing list