<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I just tested this out again on a newly installed machine. I have
the following in my vz.conf:<br>
<br>
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter
iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_LOG
ipt_conntrack ipt_state xt_connlimit ipt_connlimit"<br>
<br>
IPTABLES_MODULES="$IPTABLES"<br>
<br>
I have tried just "ipt_connlimit", just "xt_connlimit, and both in
the IPTABLES list. I even rebooted the machine before I started
each test. I get the same results. The connlimit rule is not
tripped by multiple SSH connections as it should be.<br>
<br>
Dan<br>
<br>
On 06/21/2013 05:55 PM, Kir Kolyshkin wrote:
<blockquote
cite="mid:CAGmPdrxO+7Paa5fC6LtFRRM8UQGH50RzEd4CJhn=V6MtJJmjEQ@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On 21 June 2013 08:09, Dan Bassett <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:dbassett@oreillyschool.com" target="_blank">dbassett@oreillyschool.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I am running 2.6.32-042stab076.8 on a CentOS6 HN with CentOS6
containers, vzctl-4.2-1.x86_64. I have two containers running
on the same HN. Each CT has a veth device. Both CT's veth
device is connected to the same bridge device on the HN. They
are assigned the addresses <a moz-do-not-send="true"
href="http://192.168.0.1/24" target="_blank">192.168.0.1/24</a>
and <a moz-do-not-send="true" href="http://192.168.0.2/24"
target="_blank">192.168.0.2/24</a> and can ping each other.<br>
<br>
On the HN I am able to modprobe the connlimit module
(xt_connlimit).</blockquote>
<div><br>
</div>
<div>You are supposed to load it before loading VZ modules (and
this is the reason of having it listed in vz.conf so vz
initscript takes care of loading it.</div>
<div><br>
</div>
<div>If you loaded it after loading vz modules it might not
work. So, to make sure you'd do a reboot (or reloading of all
vz modules -- /etc/init.d/vz stop, then make sure vz modules
such as vznet are not loaded, then /etc/init.d/vz start).</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">I can then
use iptables rules on the hostnode such as:<br>
<br>
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit
--connlimit-above 1 --connlimit-mask=32 -j REJECT<br>
<br>
If I then attempt to initiate more than one ssh session to
this HN from the same host, the second (and all subsequent)
ssh connections are rejected. This leads me to believe that
the connlimit module is working properly with the OpenVZ
kernel.<br>
<br>
I am able to successfully insert the same rule into the
iptables configuration in either of my containers, so it seems
that the xt_connlimit module is properly loaded (I get errors
if I try to use an iptables module that has not been loaded on
the hostnode). However, I can create more than one successful
ssh session, meaning that the iptables rule in the CT is not
being matched for some reason. I have both "xt_limit" and
"xt_connlimit" in the list of iptables modules to load in
vz.conf. When I am running these tests, I have no iptables
rules loaded on the HN, and I have no other iptables rules
loaded in the container.<br>
<br>
One interesting thing I have noticed is that when I enter a
container on this hostnode, I get the following errors:<br>
<br>
[root@hn0 ~]# vzctl enter 2033892<br>
Warning: Unknown iptable module: xt_connlimit, skipped<br>
Warning: Unknown iptable module: xt_limit, skipped<br>
<br>
It seems like this might be related to my issue, but it might
just be a red herring.<br>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>This warning is harmless, it is not a bug, details are
here:</div>
<div><a moz-do-not-send="true"
href="http://git.openvz.org/?p=vzctl;a=commit;h=d284c8a7">http://git.openvz.org/?p=vzctl;a=commit;h=d284c8a7</a></div>
<div><br>
</div>
<div>Or see vz.conf(5) man page, description of IPTABLES and
IPTABLES_MODULES.</div>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Am I missing something obvious here? Or is this a bug with
OpenVZ?<br>
<br>
Thanks,<br>
Dan<br>
_______________________________________________<br>
Users mailing list<br>
<a moz-do-not-send="true" href="mailto:Users@openvz.org"
target="_blank">Users@openvz.org</a><br>
<a moz-do-not-send="true"
href="https://lists.openvz.org/mailman/listinfo/users"
target="_blank">https://lists.openvz.org/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
</body>
</html>