[Users] [PVE-User] iptables -L -t nat not working inside VE
Dietmar Maurer
dietmar at proxmox.com
Thu Jan 8 09:39:20 EST 2009
I have the same behavior. It works on the HN, but inside the CT there is no nat table:
# cat /proc/net/ip_tables_names
mangle
filter
no idea why.
> -----Original Message-----
> From: users-bounces at openvz.org [mailto:users-bounces at openvz.org] On
> Behalf Of Pongracz Istvan
> Sent: Donnerstag, 08. Jänner 2009 12:53
> To: Users at openvz.org
> Subject: [Users] [PVE-User] iptables -L -t nat not working inside VE
>
> Hi All,
>
> I try to use iptables rules inside the container but it seems, nat
> table
> is not accessible inside the container:
>
> # iptables -L -t nat
> FATAL: Could not load /lib/modules/2.6.24-1-pve/modules.dep: No such
> file or directory
> iptables v1.3.6: can't initialize iptables table `nat': Table does not
> exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
>
>
> I googled around but I did not find solution for this
> problem.
>
> I use Proxmox version of openvz, which is based on debian.
> 2.6.24-openvz kernel
> I think, you know them, their developers are on this list :)
>
> I used the following systems as VE for testing this problem:
> debian
> - lenny i386
> - etch i386
> - etch amd64
>
> I found that, if I try to load ip_conntrack on the HN by modprobe
> ip_conntrack, nothing happens.
> This module does not appear on the list (lsmod).
> There is nothing in the dmesg log.
>
> Sometimes I got this dmesg error, I think that time, when '-m state '
> exists in the iptables parameters:
> 'can't load conntrack support for proto=2'
>
> I have this line in my vz.conf to enable modules for VEs:
>
> IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter
> iptable_mangle ipt_TCPMSS ipt_tcpmss \
> ipt_ttl ipt_length ip_conntrack ip_conntrack_ftp
> ip_conntrack_irc ipt_LOG ipt_conntrack ipt_helper \
> ipt_state iptable_nat ip_nat_ftp ip_nat_irc ipt_TOS "
>
>
> Normal iptables rules are working but NAT and related parameters.
> On the hardware node there is a well working shorewall firewall, if it
> does matter....
>
> Does anybody know this behaviour and the solution (if there is any
> solution)?
>
> Further investigation is possible, if somebody has an idea :)
> I'm more or less out with fresh ideas at this moment.
>
> Thanks in advance,
> István
>
>
> --
> BSA. Mert megérdemlitek.
> Open Source. Mert megérdemlem.
> --
> BSA. They value it.
> Open Source. The value. It.
> --
> http://www.startit.hu
> http://www.osbusiness.hu
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://openvz.org/mailman/listinfo/users
More information about the Users
mailing list