OpenVZ Forum


Home » General » Support » iptables: Error inserting x_tables (using iptables -t nat is not possible inside VE)
iptables: Error inserting x_tables [message #37807] Fri, 23 October 2009 08:33 Go to next message
john33 is currently offline  john33
Messages: 10
Registered: September 2009
Location: France
Junior Member
Hi,

I'm trying to configure NAT inside a VE with this command:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


But I get this error:
Quote:

WARNING: Error inserting x_tables (/lib/modules/2.6.24-24-openvz/kernel/net/netfilter/x_tables .ko): Operation not permitted
FATAL: Error inserting ip_tables (/lib/modules/2.6.24-24-openvz/kernel/net/ipv4/netfilter/ip_ tables.ko): Operation not permitted
iptables v1.3.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.



When I run lsmod in the VE the result is empty. And I know that loading a kernel module inside a VE is not allowed.
On the host however, the right iptables modules are listed in lsmod.

What is wrong with my configuration ? Here is the content of the VE conf file:
Quote:

# Configuration file generated by vzsplit for 100 VEs
# on HN with total amount of physical mem 32148 Mb
# low memory 32148 Mb, swap size 3718 Mb, Max treads 8000
# Resourse commit level 0:
# Free resource distribution. Any parameters may be increased
# Primary parameters
NUMPROC="1646:1646"
AVNUMPROC="823:823"
NUMTCPSOCK="1646:1646"
NUMOTHERSOCK="1646:1646"
VMGUARPAGES="58771:9223372036854775807"

# Secondary parameters
KMEMSIZE="67421143:74163257"
TCPSNDBUF="15731698:22473714"
TCPRCVBUF="15731698:22473714"
OTHERSOCKBUF="7865849:14607865"
DGRAMRCVBUF="7865849:7865849"
OOMGUARPAGES="58771:9223372036854775807"
PRIVVMPAGES="352626:387888"

# Auxiliary parameters
LOCKEDPAGES="3292:3292"
SHMPAGES="35262:35262"
PHYSPAGES="0:9223372036854775807"
NUMFILE="26336:26336"
NUMFLOCK="1000:1100"
NUMPTY="164:164"
NUMSIGINFO="1024:1024"
DCACHESIZE="14727704:15169536"
NUMIPTENT="20:20"
DISKSPACE="204799:225280"
DISKINODES="80000:88000"
CPUUNITS="10534"

DISK_QUOTA=no
VE_ROOT=/data/7016f358-4c78-4aa0-bfe6-5a9c64be2a5b/root
VE_PRIVATE=/data/7016f358-4c78-4aa0-bfe6-5a9c64be2a5b/privat e
OSTEMPLATE="ubuntu-8.04"
IPTABLES="ipt_REJECT x_tables ip_tables ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"



Thanks Smile

[Updated on: Fri, 02 April 2010 10:45]

Report message to a moderator

Re: iptables: Error inserting x_tables [message #37808 is a reply to message #37807] Fri, 23 October 2009 08:43 Go to previous messageGo to next message
john33 is currently offline  john33
Messages: 10
Registered: September 2009
Location: France
Junior Member
ok I just missed the iptable_nat module to add to the IPTABLES configuration file line.

Resloved Smile
Re: iptables: Error inserting x_tables [message #39240 is a reply to message #37808] Thu, 01 April 2010 14:57 Go to previous message
john33 is currently offline  john33
Messages: 10
Registered: September 2009
Location: France
Junior Member
Hi,

I'm facing a new issue with the following command in the VE:

Quote:

# iptables -L -t raw
WARNING: Error inserting x_tables (/lib/modules/2.6.24/kernel/net/netfilter/x_tables.ko): Operation not permitted
FATAL: Error inserting ip_tables (/lib/modules/2.6.24/kernel/net/ipv4/netfilter/ip_tables.ko) : Operation not permitted
iptables v1.3.8: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.



Here is the IPTABLES line of /etc/vz/conf/veid.conf:
Quote:

IPTABLES="ip_tables iptable_nat ip_conntrack ipt_REJECT ipt_TCPMSS ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state ipt_helper ipt_LOG ipt_TOS ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ip_nat_ftp ip_nat_irc ipt_REDIRECT xt_mac ipt_owner"



However, the following command works:
Quote:

# iptable -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



Here is the output of lsmod on the host:

Quote:

$ lsmod
Module Size Used by
kvm 110816 0
vzethdev 23552 0
vznetdev 33160 1
simfs 14448 1
vzrst 153000 0
vzcpt 128312 0
tun 23168 2 vzrst,vzcpt
vzdquota 57712 1 [permanent]
vzmon 53520 5 vzethdev,vznetdev,vzrst,vzcpt
vzdev 12808 8 vzethdev,vznetdev,vzdquota,vzmon
xt_tcpudp 12416 0
xt_length 10880 0
ipt_ttl 10752 0
xt_tcpmss 11264 0
xt_TCPMSS 13696 0
iptable_mangle 13824 1
xt_multiport 12288 0
xt_limit 12160 0
ipt_tos 10496 0
ipt_REJECT 13952 0
cpufreq_powersave 10624 0
cpufreq_userspace 14852 0
cpufreq_stats 16288 0
cpufreq_conservative 18056 0
cpufreq_ondemand 18576 0
freq_table 14336 2 cpufreq_stats,cpufreq_ondemand
sbs 25232 0
sbshc 16384 1 sbs
container 14080 0
dock 20384 0
video 30100 0
output 13184 1 video
battery 24200 0
iptable_filter 13696 1
ipv6 336960 27 vzrst,vzcpt,vzmon
xt_conntrack 12800 0
nf_conntrack_irc 16544 0
nf_conntrack_ftp 19368 0
iptable_raw 11392 0
ipt_MASQUERADE 11648 1
xt_state 11520 0
iptable_nat 19460 3
ip_tables 33256 4 iptable_mangle,iptable_filter,iptable_raw,iptable_nat
nf_nat 31376 2 ipt_MASQUERADE,iptable_nat
x_tables 33288 14 xt_tcpudp,xt_length,ipt_ttl,xt_tcpmss,xt_TCPMSS,xt_multiport ,xt_limit,ipt_tos,ipt_REJECT,xt_conntrack,ipt_MASQUERADE,xt_ state,iptable_nat,ip_tables
nf_conntrack_ipv4 36496 4 iptable_nat
nf_conntrack 100960 7 xt_conntrack,nf_conntrack_irc,nf_conntrack_ftp,xt_state,ipta ble_nat,nf_nat,nf_conntrack_ipv4
lp 22340 0
af_packet 35592 10
snd_intel8x0 47784 2
snd_ac97_codec 130264 1 snd_intel8x0
ac97_bus 11264 1 snd_ac97_codec
parport_pc 48552 0
snd_pcm 95112 2 snd_intel8x0,snd_ac97_codec
pcspkr 12160 0
snd_timer 34824 1 snd_pcm
parport 52364 2 lp,parport_pc
serio_raw 16516 0
evdev 22528 3
ac 15752 0
psmouse 53788 0
button 18336 0
i2c_piix4 18316 0
snd 76968 8 snd_intel8x0,snd_ac97_codec,snd_pcm,snd_timer
soundcore 17824 1 snd
snd_page_alloc 19984 2 snd_intel8x0,snd_pcm
i2c_core 35968 1 i2c_piix4
ext3 156560 1
jbd 64424 1 ext3
mbcache 18816 1 ext3
sg 48920 0
sr_mod 27556 0
cdrom 49064 1 sr_mod
sd_mod 40704 3
pata_acpi 17280 0
ata_generic 17412 0
ehci_hcd 48268 0
ohci_hcd 38020 0
floppy 76136 0
ata_piix 31620 2
usbcore 176688 3 ehci_hcd,ohci_hcd
ssb 44676 1 ohci_hcd
e1000 144576 0
libata 183088 3 pata_acpi,ata_generic,ata_piix
scsi_mod 186168 4 sg,sr_mod,sd_mod,libata
thermal 27168 0
processor 49864 1 thermal
fan 14216 0
fuse 64528 5



What modules may I have missed on the host, or may I have to add to IPTABLES in the conf file? (I have tried iptable_raw, ipt_recent and xt_conntrack but I get an "Unknown iptable module: XXX skipped" error when entering with vzctl.

Thanks Smile

[Updated on: Thu, 01 April 2010 14:57]

Report message to a moderator

Previous Topic: server restarting after syslod restart
Next Topic: Server crashing ::ip_conntrack: CT 0: table full, dropping packet.
Goto Forum:
  


Current Time: Fri Nov 08 15:11:16 GMT 2024

Total time taken to generate the page: 0.03354 seconds