| *SOLVED* iptables state in VE broken [message #14515] |
Sat, 30 June 2007 00:56  |
dlzinc
Messages: 34
Registered: March 2006
|
Member |
|
|
uname -r
2.6.18-8.1.4.el5.028stab035.1
Host is CentOS 5 x86_64
VE is also CentOS 5 x86_64
If I do:
iptables -F
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -P DROP
I would expect to be able to SSH into this VE, however I can't. Using vzctl enter, I saw the counters for DROP incremented and the single iptables line counter is still 0. There also is no /proc/net/ip_conntrack present inside the VE.
IPTABLES (in the ve .conf file) is not set, all other modules appear to work (e.g. ipt_owner)
conntrack is loaded on the HN and was loaded before the VE was started. Any ideas? or bug...
Oddly enough, I have another box:
2.6.18-8.1.4.el5.028stab035.1
Host is CentOS 4 x86_64
VE is also CentOS 4 i686
state tracking works properly (and there's a /proc/net/ip_conntrack in the VE)
[Updated on: Sun, 01 July 2007 16:49] by Moderator Report message to a moderator |
|
|
|
| Re: iptables state in VE broken [message #14516 is a reply to message #14515] |
Sat, 30 June 2007 01:19  |
dlzinc
Messages: 34
Registered: March 2006
|
Member |
|
|
Hrm.. solved it.
Had to do vzctl set [veid] --save --iptables ipt_conntrack --iptables ipt_state etc.
Which is weird, because the docs (man vzctl) say that if the module is loaded (it was) then I shouldn't have to do that.
|
|
|
|
|
|
| Re: iptables state in VE broken [message #14522 is a reply to message #14515] |
Sat, 30 June 2007 13:17 |
dlzinc
Messages: 34
Registered: March 2006
|
Member |
|
|
|
On the CentOS 4 HN+VE, there is no IPTABLES entry in the veid.conf file and it works fine. On the CentOS 5 HN+VE, it doesn't work without the IPTABLES entry. They're both using the same kernel and same vzctl...
|
|
|
|
|
|
| Re: iptables state in VE broken [message #14535 is a reply to message #14515] |
Sun, 01 July 2007 03:45 |
dlzinc
Messages: 34
Registered: March 2006
|
Member |
|
|
Like I said, yes.
The lack of an IPTABLES entry on the CentOS 4 HN+VE = I get /proc/net/ip_conntrack, while the lack of an IPTABLES entry on CentOS 5 HN+VE = I don't get /proc/net/ip_conntrack, however if I *do* add an IPTABLES entry it works fine. The manpage for vzctl states that if there aren't any restrictions (i.e. no IPTABLES entry) then all loaded modules are enabled (which on CentOS 5, doesn't appear to be the case).
|
|
|
|
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
