OpenVZ Forum: Users » RHEL6 and stateful firewall inside container

Home » Mailing lists » Users » RHEL6 and stateful firewall inside container

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: RHEL6 and stateful firewall inside container [message #45144 is a reply to message #45143]

Wed, 01 February 2012 12:41

Vasily Averin
Messages: 17
Registered: April 2008

Junior Member

On 02/01/2012 04:39 PM, Vasily Averin wrote:
> Hi Mikko,
>
> 1) You need to enable conntrack support for container, it is disabled by default.
> IIRC following command should be enough to enable conntrack support for specified container only:
> # vzctl set <CTID> --iptables iptable_filter --iptables ip_conntrack --save

Sorry, I did not noticed that you're using mangle table too, so you need to add also "--iptables iptable_mangle" into command above.

> 2) Also you need to load all modules on the host before loading of rules inside container. Container cannot load modules, even indirectly. that's why loading of iptables rules failed inside container.
> we recommend to add all required modules into iptables service configuration on the host.
> on CentOS6 nodes you need to add all used modules into IPTABLES_MODULES variable in /etc/sysconfig/iptables-config file.
>
> thank you,
> Vasily Averin
>
> On 02/01/2012 03:17 PM, Mikko Vasili Hirvonen wrote:
>> Hello users@openvz.org
>>
>> I'm trying to upgrade our rhel5 based openvz servers to rhel6 but I got
>> problem with iptables. If I try to use firewall inside container, I can
>> load rules, but firewall rejects all incoming packets. Host is redhet-6
>> and container is centos-6. I tested with kernels
>>
>> vzkernel-2.6.32-042stab044.17.x86_64
>> vzkernel-2.6.32-042stab048.1.x86_64
>> vzkernel-2.6.32-042stab049.2.x86_64
>>
>> My firewall config
>> # Generated by iptables-save v1.4.7 on Wed Feb 1 13:05:26 2012
>> *mangle
>> :PREROUTING ACCEPT [2:381]
>> :INPUT ACCEPT [2:381]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [4:559]
>> :POSTROUTING ACCEPT [4:559]
>> COMMIT
>> # Completed on Wed Feb 1 13:05:26 2012
>> # Generated by iptables-save v1.4.7 on Wed Feb 1 13:05:26 2012
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [4:559]
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>> # Completed on Wed Feb 1 13:05:26 2012
>>
>> Is it know problem or is it my misconfiguration? Firewall on redhat-5 is
>> functioning fine.
>>
>>
>

Report message to a moderator

[Message index]

		RHEL6 and stateful firewall inside container By: masse on Wed, 01 February 2012 11:17
		Re: RHEL6 and stateful firewall inside container By: Vasily Averin on Wed, 01 February 2012 12:39
		Re: RHEL6 and stateful firewall inside container By: Vasily Averin on Wed, 01 February 2012 12:41
		Re: RHEL6 and stateful firewall inside container By: masse on Thu, 02 February 2012 08:51

Previous Topic:	vmstat FPE
Next Topic:	A question about Node RAM

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Sun Sep 01 09:26:31 GMT 2024

Total time taken to generate the page: 0.05804 seconds