[Users] [PVE-User] iptables -L -t nat not working inside VE

Dietmar Maurer dietmar at proxmox.com
Thu Jan 8 09:39:20 EST 2009 

I have the same behavior. It works on the HN, but inside the CT there is no nat table:

# cat /proc/net/ip_tables_names
mangle
filter

no idea why.

> -----Original Message-----
> From: users-bounces at openvz.org [mailto:users-bounces at openvz.org] On
> Behalf Of Pongracz Istvan
> Sent: Donnerstag, 08. Jänner 2009 12:53
> To: Users at openvz.org
> Subject: [Users] [PVE-User] iptables -L -t nat not working inside VE
> 
> Hi All,
> 
> I try to use iptables rules inside the container but it seems, nat
> table
> is not accessible inside the container:
> 
> # iptables -L -t nat
> FATAL: Could not load /lib/modules/2.6.24-1-pve/modules.dep: No such
> file or directory
> iptables v1.3.6: can't initialize iptables table `nat': Table does not
> exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> 
> 
> I googled around but I did not find solution for this
> problem.
> 
> I use Proxmox version of openvz, which is based on debian.
> 2.6.24-openvz kernel
> I think, you know them, their developers are on this list :)
> 
> I used the following systems as VE for testing this problem:
> debian
>    - lenny i386
>    - etch i386
>    - etch amd64
> 
> I found that, if I try to load ip_conntrack on the HN by modprobe
> ip_conntrack, nothing happens.
> This module does not appear on the list (lsmod).
> There is nothing in the dmesg log.
> 
> Sometimes I got this dmesg error, I think that time, when '-m state '
> exists in the iptables parameters:
> 'can't load conntrack support for proto=2'
> 
> I have this line in my vz.conf to enable modules for VEs:
> 
> IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter
> iptable_mangle ipt_TCPMSS ipt_tcpmss \
>           ipt_ttl ipt_length ip_conntrack ip_conntrack_ftp
> ip_conntrack_irc ipt_LOG ipt_conntrack ipt_helper \
>           ipt_state iptable_nat ip_nat_ftp ip_nat_irc ipt_TOS  "
> 
> 
> Normal iptables rules are working but NAT and related parameters.
> On the hardware node there is a well working shorewall firewall, if it
> does matter....
> 
> Does anybody know this behaviour and the solution (if there is any
> solution)?
> 
> Further investigation is possible, if somebody has an idea :)
> I'm more or less out with fresh ideas at this moment.
> 
> Thanks in advance,
> István
> 
> 
> --
> BSA. Mert megérdemlitek.
> Open Source. Mert megérdemlem.
> --
> BSA. They value it.
> Open Source. The value. It.
> --
> http://www.startit.hu
> http://www.osbusiness.hu
> 
> 
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://openvz.org/mailman/listinfo/users

More information about the Users mailing list