OpenVZ Forum


Home » General » Support » IPtables on Centos 4.2 (host system)
IPtables on Centos 4.2 (host system) [message #2685] Sun, 16 April 2006 16:27 Go to next message
kenchua is currently offline  kenchua
Messages: 4
Registered: April 2006
Junior Member
Hi

I just downloaded openvz and installed on my CentOS 4.2. But whenever i rebooted my server (iptables started by default), I am unable to access the server remotely. Once IPtables is stopped, I am able to access it.

My question is how do I configure IPtables to enable me to access the server as well as doing IP filtering?

Basically, I wanted to block SMTP, POP3, FTP and HTTP from the host system as it is just supposed to be a "skeleton" for the VPS.

I only wanted to allow SSHD access via 2 static IP addresses used by my company.

Can any gurus please assist me? Thanks

cheers
Ken
Re: IPtables on Centos 4.2 (host system) [message #2689 is a reply to message #2685] Mon, 17 April 2006 08:19 Go to previous messageGo to next message
dim is currently offline  dim
Messages: 344
Registered: August 2005
Senior Member
Seems, that you have to add "options ip_conntrack ip_conntrack_enable_ve0=1" to your /etc/modprobe.conf
After that, restart iptables.


http://static.openvz.org/openvz_userbar_en.gif
Re: IPtables on Centos 4.2 (host system) [message #2846 is a reply to message #2685] Sun, 23 April 2006 11:34 Go to previous messageGo to next message
kenchua is currently offline  kenchua
Messages: 4
Registered: April 2006
Junior Member
hi Dim,

thanks for your kind suggestion and it worked Smile

I have another queston. In the VPS, I tried to use lokkit to configure the IPtables and when I restarted IPtables, it reported errors.

Do you have a sample IPtables ruleset for VPS?

Best regards
Ken

Re: IPtables on Centos 4.2 (host system) [message #2857 is a reply to message #2846] Mon, 24 April 2006 06:57 Go to previous messageGo to next message
dev is currently offline  dev
Messages: 1693
Registered: September 2005
Location: Moscow
Senior Member

I'm not sure what lokkit is (probably some frontend for iptables?)...
Maybe you can provide some messages on how it failed?
Also, check that you enabled iptables inside VPS.
default iptable modules available in VPS are listed in /etc/sysconfig/vz, variable IPTABLES.
list of available modules can be found in vzctl man.


http://static.openvz.org/userbars/openvz-developer.png
Re: IPtables on Centos 4.2 (host system) [message #2885 is a reply to message #2857] Mon, 24 April 2006 22:40 Go to previous messageGo to next message
dowdle is currently offline  dowdle
Messages: 261
Registered: December 2005
Location: Bozeman, Montana
Senior Member
lokkit is Red Hat's tui app for create /etc/sysconfig/iptables. Whenever lokkit is run, it overwrites the previous iptables config with the new info... ie you can't modify an existing file with additional info... as it makes a new config from scratch each time... or at least that is my understanding.

--
TYL, Scott Dowdle
Belgrade, Montana, USA
Re: IPtables on Centos 4.2 (host system) [message #2919 is a reply to message #2885] Thu, 27 April 2006 18:12 Go to previous messageGo to next message
kenchua is currently offline  kenchua
Messages: 4
Registered: April 2006
Junior Member
Hi

I copied the IPTABLES from the host node and tried to use it on the vps. It prompted the error below. Attached is the set of rules for IPTABLES.

[root@webvps ~]# /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Applying iptables firewall rules: iptables-restore: line 17 failed
[FAILED]


[root@webvps ~]# cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Re: IPtables on Centos 4.2 (host system) [message #2924 is a reply to message #2919] Fri, 28 April 2006 07:22 Go to previous message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
kenchua,

You didn't add enought iptables modules inside VPS.
Just append to /etc/sysconfig/vz or to /etc/sysconfig/vz-scipts/<VPS-ID>.conf file the string:

IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"

And start-stop VPSs.
This will add ALL iptables modules to VPS.
You can play further with IPTABLES parameter and investigate,
wich of modules are sufficient for you...
Previous Topic: Clock Issues
Next Topic: Warning: Unable to open an initial console
Goto Forum:
  


Current Time: Thu Mar 28 19:42:45 GMT 2024

Total time taken to generate the page: 0.01743 seconds