[Users] firewall capability in openVZ/virtuozzo 7
Jehan Procaccia
jehan.procaccia at tem-tsp.eu
Tue Oct 11 03:22:46 PDT 2016
ok, that works fine with that:
# prlctl set MyCT11 --netfilter stateful
Set netfilter: stateful
The CT has been successfully configured.
and it is saved
# grep -i netfilter /vz/private/1d268e70-3597-4508-9e2a-903fc06b02a2/ve.conf
NETFILTER="stateful"
inside the CT now I can issue firewall-cmd
CT-1d268e70 /# firewall-cmd --get-active-zones
public
interfaces: eth0
Great !
Now, I realized that on the host machine, if I start firewalld I am
locked out of my ssh session :-(
although ssh service is open on all interfaces !
# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: br0 br1 br10 br11 em1 em2 p2p2 p2p2.11
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
I missed something again ?
regards .
Le 11/10/2016 11:04, Vasily Averin a écrit :
> Dear Jehan,
>
> OpenVZ container does not require to enable additional capabilities,
> default settings allows to use iptables inside container.
>
> However by default netfilter is restricted,
> most likely you need to change it by using "prlctl set --netfilter"
>
> --netfilter <disabled|stateless|stateful|full>
> Restrict access to iptable modules inside the Container. The fol-
> lowing modes are available:
> disabled -- no modules are allowed.
> stateless -- (default) all modules except NAT and conntracks are
> allowed.
> stateful -- all modules except NAT are allowed.
> full -- all modules are allowed.
>
>
> btw. prlctl works as "vzctl --save" in any cases, it saves the setting in configs.
>
> Thank you,
> Vasily Averin
>
> On 10.10.2016 22:42, Jehan Procaccia wrote:
>> hello
>>
>> by default firewalld doesn't work on a fresh install container (centos7-x64)
>>
>> docs says:
>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall
>> I guess I need to enable net_admin
>> net_admin Allows the administration of IP firewalls and accounting. off
>> as it it by default set to off
>>
>> but the command is deprecated
>> # vzctl set MyCT11 --capability net_admin --save
>> Warning: The --capability option is deprecated
>>
>> So I used prlctl (not proposed in the doc above !?)
>>
>> # prlctl set MyCT11 --capability net_admin:on
>> Set capabilities: NET_ADMIN:on
>> The CT has been successfully configured.
>>
>> but still in the CT
>> /# firewall-cmd --get-active-zones
>> nothing
>> /# firewall-cmd --reload
>> Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by that name.
>> as if NET_ADMIN capability is not save permanently in the CT definition
>>
>> what is the equivalent of vzctl --save with prlctl ?
>> or I mess somewhere else ?
>>
>> Regards .
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>>
More information about the Users
mailing list