[Users] problem with iptables inside VE

Sergey Ivanov seriv at cs.umd.edu
Wed May 14 04:21:00 PDT 2014 

Dear Nikolay, you are right!
I just saw in /etc/vz/vz.conf the lines:
---

## WARNING: IPTABLES parameter is deprecated,
## use per-сontainer (not global!) NETFILTER instead

## iptables kernel modules to be loaded by init.d/vz script
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_limit ipt_multiport
iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length
ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT"

---

"vzctl --help" does not say anything about netfilter, but "man vzctl" have:

---

       Netfilter (iptables) control parameters

       --netfilter disabled|stateless|stateful|full
              Restrict access to netfilter/iptables modules for  a  container.
              This option replaces obsoleted --iptables.

              The following arguments can be used:
               · disabled -- no iptables allowed
               ·  stateless  --  everything  but conntracks and NAT is allowed
              (i.e. filter and mangle)
               · stateful -- everything but NAT is allowed
               · full -- all netfilter functionality

---

When I checked and ensured /etc/vz/conf/12753.conf have NETFILTER line
and does not have IPABLES line, all started working as expected.

I guess this problem is caused by some change in the interface between
netfilter kernel modules and iptables binary in Fedora-20, so that
guest tries to manage vzkernel in incompatible with it manner in case
of "NETFILER" is not defined properly.

-- 

   Regards,

   Sergey Ivanov.



On Wed, May 14, 2014 at 12:32 AM, knawnd <knawnd at gmail.com> wrote:

>  Hello, Sergey!
>
> Another assumption: if you use vzctl-4.7.x and have NETFILTER [1]
> parameter set to "stateless" in container's config file then try to change
> it to "full".
>
> Best regards,
> Nikolay.
>
> [1]
> https://github.com/kolyshkin/vzctl/commit/9b8afa654945acc6d3bd782f622aaf9c54e4e87b
>
>
> On 05/14/14 02:28, Jean-Marc Pigeon wrote:
>
> Bonjour Sergey,
>
>
> HOST: /etc/vz/vz.conf, could be your IPTABLES definition Wrong??
>
> IPTABLES="ipt_state ipt_conntrack ipt_LOG ipt_REJECT ipt_tos ipt_limit
> ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl
> ipt_length"
>
>
> Quoting Sergey Ivanov <seriv at cs.umd.edu> <seriv at cs.umd.edu>:
>
> Hi,
> I need help with openvz setup.
> Here is the problem. In VE I have:
> ---
> # iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -j LOG --log-prefix "ipt.input: " --log-level 7
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j LOG --log-prefix "ipt.forward: " --log-level 7
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> ---
> and when I try to ssh to VE, I am failing and in dmesg I see lines about
> it
> like these (I've modified MAC):
> ---
> [ 9343.653892] ipt.input: IN=eth0 OUT=
> MAC=00:de:ad:be:af:da:de:ad:be:af:de:ad:be:af SRC=10.0.128.117
> DST=10.0.127.53 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1295 DF PROTO=TCP
> SPT=48744 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
> ---
> Immediately after "service iptables stop" I have working ssh service and
> can login into VE remotely. I want to do this with iptables.
>
> I use RHEL6 as a HE and tried Fedora-20 downloaded from
> http://download.openvz.org/template/precreated/fedora-20-x86.tar.gz. I
> use
> VLANs, trunk is going to physical interface em1, HE has ip address on vlan
> 128, there are em1.128 interface for it.
> Virtual environment has netif, created by
> ---
> vzctl set 12753 --save --netiff-add eth0,,veth12753,,br.127
> ---
> I've set up bridge br.127 for this vlan and with automatically added by
> ifcfg scripts em1.127, and
> ---
> EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"
> ---
> in vznet.conf are adding veth to it. I'm using vzkernel
> 2.6.32-042stab088.4
>
> --
>   Regards,
>   Sergey Ivanov.
>
>
>
>
> _______________________________________________
> Users mailing listUsers at openvz.orghttps://lists.openvz.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20140514/e4135adc/attachment.html>

More information about the Users mailing list