When I want to restart iptables on the hardware node, I get this:
service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat mangle filter [ OK ]
Unloading iptables modules: [FAILED]
Applying iptables firewall rules: [ OK ]
This is /etc/sysconfig/iptables on HN:
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
#-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -s 212.98.47.70 -m tcp -p tcp --dport 19150 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
This is /etc/sysctl.conf:
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.core_uses_pid = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
panic = 10
/etc/vz/vz.conf:
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"
This is in the vps.conf in /etc/vz/conf:
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"
lsmod on HN:
Module Size Used by
ip_conntrack_ftp 12400 1
loop 19080 0
vzethdev 16136 0
simfs 9068 2
vzdquota 44308 2 [permanent]
xt_length 6016 0
ipt_ttl 5888 0
xt_tcpmss 6272 0
ipt_TCPMSS 8064 0
xt_multiport 7168 3
xt_limit 6656 0
ipt_tos 5760 0
autofs4 25092 0
sunrpc 146364 1
vznetdev 21764 4
vzmon 46856 4 vzethdev,vznetdev
ipv6 262304 63 vzmon
vzdev 7556 4 vzethdev,vzdquota,vznetdev,vzmon
iptable_nat 13188 4
ip_nat 22288 1 iptable_nat
iptable_mangle 8576 2
ipt_REJECT 9344 3
xt_state 6144 20
ip_conntrack 60356 6 ip_conntrack_ftp,iptable_nat,ip_nat,xt_state
nfnetlink 10648 2 ip_nat,ip_conntrack
xt_tcpudp 7040 22
iptable_filter 8576 5
ip_tables 18760 3 iptable_nat,iptable_mangle,iptable_filter
x_tables 19204 12 xt_length,ipt_ttl,xt_tcpmss,ipt_TCPMSS,xt_multiport,xt_limit,ipt_tos,iptable_nat,ipt_REJECT,xt_state,xt_tcpudp,ip_tables
sbs 18468 0
i2c_ec 8960 1 sbs
container 8320 0
button 10512 0
ac 9092 0
k8_edac 18240 0
edac_mc 24912 1 k8_edac
k8temp 9344 0
hwmon 7300 1 k8temp
forcedeth 47368 0
dm_snapshot 20644 0
dm_zero 6144 0
dm_mirror 28676 0
ext3 124424 6
jbd 61736 1 ext3
raid1 25088 2
dm_mod 58648 14 dm_snapshot,dm_zero,dm_mirror
sata_nv 22404 6
libata 116152 1 sata_nv
sd_mod 24832 8
scsi_mod 133132 2 libata,sd_mod
[Updated on: Mon, 07 January 2008 12:40] by Moderator
Report message to a moderator
OpenVZ Forum
Members
Search
Help
Register
Login
Home
