[Users] problem with iptables inside VE
knawnd
knawnd at gmail.com
Tue May 13 21:32:22 PDT 2014
Hello, Sergey!
Another assumption: if you use vzctl-4.7.x and have NETFILTER [1]
parameter set to "stateless" in container's config file then try to
change it to "full".
Best regards,
Nikolay.
[1]
https://github.com/kolyshkin/vzctl/commit/9b8afa654945acc6d3bd782f622aaf9c54e4e87b
On 05/14/14 02:28, Jean-Marc Pigeon wrote:
> Bonjour Sergey,
>
>
> HOST: /etc/vz/vz.conf, could be your IPTABLES definition Wrong??
>
> IPTABLES="ipt_state ipt_conntrack ipt_LOG ipt_REJECT ipt_tos ipt_limit
> ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss
> ipt_ttl ipt_length"
>
>
> Quoting Sergey Ivanov <seriv at cs.umd.edu>:
>
>> Hi,
>> I need help with openvz setup.
>> Here is the problem. In VE I have:
>> ---
>> # iptables -S
>> -P INPUT ACCEPT
>> -P FORWARD ACCEPT
>> -P OUTPUT ACCEPT
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>> -A INPUT -j LOG --log-prefix "ipt.input: " --log-level 7
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j LOG --log-prefix "ipt.forward: " --log-level 7
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> ---
>> and when I try to ssh to VE, I am failing and in dmesg I see lines
>> about it
>> like these (I've modified MAC):
>> ---
>> [ 9343.653892] ipt.input: IN=eth0 OUT=
>> MAC=00:de:ad:be:af:da:de:ad:be:af:de:ad:be:af SRC=10.0.128.117
>> DST=10.0.127.53 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1295 DF PROTO=TCP
>> SPT=48744 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
>> ---
>> Immediately after "service iptables stop" I have working ssh service and
>> can login into VE remotely. I want to do this with iptables.
>>
>> I use RHEL6 as a HE and tried Fedora-20 downloaded from
>> http://download.openvz.org/template/precreated/fedora-20-x86.tar.gz.
>> I use
>> VLANs, trunk is going to physical interface em1, HE has ip address on
>> vlan
>> 128, there are em1.128 interface for it.
>> Virtual environment has netif, created by
>> ---
>> vzctl set 12753 --save --netiff-add eth0,,veth12753,,br.127
>> ---
>> I've set up bridge br.127 for this vlan and with automatically added by
>> ifcfg scripts em1.127, and
>> ---
>> EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"
>> ---
>> in vznet.conf are adding veth to it. I'm using vzkernel
>> 2.6.32-042stab088.4
>>
>> --
>> Regards,
>> Sergey Ivanov.
>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20140514/6461995d/attachment-0001.html>
More information about the Users
mailing list