[Users] Re: iptables not working in VE (kernel 2.6.24-6-fza-686)
Aleksandar Ivanisevic
aleksandar at ivanisevic.de
Fri Nov 21 11:23:35 EST 2008
"Adem" <for-gmane at alicewho.com> writes:
> "Aleksandar Ivanisevic" wrote:
>> "Adem" writes:
>>
>> > My IPTABLES setting in /etc/vz/vz.conf on the HN:
>> > IPTABLES="ip_tables ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter \
>> > iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip_conntrack \
>> > ip_conntrack_ftp ip_conntrack_irc ipt_LOG ipt_conntrack ipt_helper ipt_state \
>> > xt_connlimit ipt_recent iptable_nat ip_nat_ftp
>> > ip_nat_irc ipt_TOS "
>>
>> Are you sure you restarted the container after changing this line?
>
> Yes. Even deleted and recreated the VE, and restarted the machine.
>
>> Also, modules need to be loaded in the host if you want them to work in
>> VEs. What does lsmod | grep ip_ on the host say?
>
> # lsmod | grep ip_
> ip_tables 14216 3 iptable_nat,iptable_mangle,iptable_filter
> x_tables 16228 18
> xt_tcpudp,ipt_TOS,iptable_nat,ipt_recent,xt_connlimit,xt_state,xt_helper,xt_conntrack,ipt_LOG,xt_length,ipt_ttl,xt_tcpmss,xt_TCPMSS,
> xt_multiport,xt_limit,ipt_tos,ipt_REJECT,ip_tables
>
> I somehow managed to get the firewall rules working in the VE,
> except the ipt_recent module, as this module does not load for the VE.
> vzctl gives this warning when creating the VE:
> "Warning: Unknown iptable module: ipt_recent, skipped"
> For more details on this please see the other thread titled
> "ipt_recent Problems".
For me recent works since I've added ip_conntrack in MODULES, like you
have above, see http://bugzilla.openvz.org/show_bug.cgi?id=1049
--
To sto si frustriran, zavidan tko zna na cemu i sto ne vidis dalje od
svoje guzice je tuzno. Da onda barem imas toliko samokontrole da
sutis umjesto da pravis budalu od sebe... izgleda da si prestar da se
promjenis na bolje. - Davor Pasaric, hr.comp.mac
More information about the Users
mailing list