OpenVZ Forum


Home » General » Support » *SOLVED* iptables support inside vps
*SOLVED* iptables support inside vps [message #7927] Mon, 30 October 2006 18:02 Go to next message
pshempel is currently offline  pshempel
Messages: 4
Registered: October 2006
Location: Lafayette
Junior Member
I am attempting to configure a vps as a nat gateway for a openvpn server running in the vps.

How much of the iptables support is there within a VPS?
Should I expect a full support or limited?
If limited can there be something placed on the wiki that states just how much support there is?

I have read through many documents that seem to give the impression there is complete firewall support inside a vps

I am using 2.6.16 testing kernel.
I have compiled every module that relates to iptables networking into the kernel.

I am presently using shorewall to configure my iptables rules but seem to have a complete failure to setup a basic natted vpn service using shorewall.


Here is the output of shorewall show capabilities.

Shorewall has detected the following iptables/netfilter capabilities:
NAT: Not available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Not available
Connection Tracking Match: Not available
Packet Type Match: Not available
Policy Match: Not available
Physdev Match: Not available
Packet length Match: Available
IP range Match: Not available
Recent Match: Not available
Owner Match: Not available
Ipset Match: Not available
CONNMARK Target: Not available
Connmark Match: Not available
Raw Table: Not available
IPP2P Match: Not available
CLASSIFY Target: Not available
Extended REJECT: Available
Repeat match: Not available
MARK Target: Not available
Mangle FORWARD Chain: Available

I have been using shorewall for about six years now and have a good grasp of how to setup shorewall, so I am confident that my configurations are correct.

TIA for the responses.

Philip

NanoHub.org Systems Admin

[Updated on: Fri, 10 November 2006 06:36] by Moderator

Report message to a moderator

Re: iptables support inside vps [message #7933 is a reply to message #7927] Tue, 31 October 2006 06:23 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
Hello,

You wrote:
Quote:


How much of the iptables support is there within a VPS?
Should I expect a full support or limited?
If limited can there be something placed on the wiki that states just how much support there is?



Support of iptables is slightly limited. You can see which modules are available in VE using vzctl manpage: read there about --iptables command.
Note, that by default not all iptables modules are permited in VE (look in /etc/vz/vz.conf).

HTH,
vass.
Re: iptables support inside vps [message #7952 is a reply to message #7933] Tue, 31 October 2006 14:36 Go to previous messageGo to next message
pshempel is currently offline  pshempel
Messages: 4
Registered: October 2006
Location: Lafayette
Junior Member
Well should this rule work then?

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
But returns with uknown chain, but when doing a iptables -L it returnes with FORWARD chain as a rule. Is this implemented (forwarding packets)?

Shorewall now reports this

NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Not available
Connection Tracking Match: Not available
Packet Type Match: Not available
Policy Match: Not available
Physdev Match: Not available
Packet length Match: Available
IP range Match: Not available
Recent Match: Not available
Owner Match: Not available
Ipset Match: Not available
CONNMARK Target: Not available
Connmark Match: Not available
Raw Table: Not available
IPP2P Match: Not available
CLASSIFY Target: Not available
Extended REJECT: Available
Repeat match: Not available
MARK Target: Not available
Mangle FORWARD Chain: Available


Thanks

Philp

NanoHub.org Systems Admin




Re: iptables support inside vps [message #7985 is a reply to message #7952] Thu, 02 November 2006 06:20 Go to previous message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
Hello,

There is one more trick. As you now different iptables features are located in different kernel modules. Usually when iptables command see the feature, which kernel module isn't loaded, it loads appropriate module. But in VE it's prohibited to load kernel modules! Conclusion: before using specific rule you shuld make sure that appropriate module is loaded on _HN_.
The easiest way to do it, I suppose, first run the iptables comand that you want in VE, on HN and then flush it. After that all kernel modules that are needed for this command are loaded and you can fealessly executed this command in VE.

For example in you case:

[HN]# vzctl start 112
Starting VPS ...
VPS is mounted
Adding IP address(es): <ip address>
Setting CPU units: 1000
Setting devices
VPS start in progress...
[HN]# iptables -A FORWARD -j ACCEPT
[HN]# lsmod | wc
44 146 1721
[HN]# iptables -F
[HN]# lsmod | wc
44 146 1721
[HN]# vzctl enter 112
entered into VPS 112
[VE]#
[VE]# iptables -A FORWARD -j ACCEPT
[VE]# iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

HTH,
vass.

[Updated on: Thu, 02 November 2006 07:13]

Report message to a moderator

Previous Topic: Help with calculating fair allocations
Next Topic: *SOLVED* unable to connect to the internet or any other machine on the local n/w..pls help!!
Goto Forum:
  


Current Time: Fri Nov 15 11:56:48 GMT 2024

Total time taken to generate the page: 0.03783 seconds