OpenVZ Forum


Home » Mailing lists » Users » RHEL6 and stateful firewall inside container
RHEL6 and stateful firewall inside container [message #45140] Wed, 01 February 2012 11:17 Go to next message
masse
Messages: 2
Registered: January 2010
Junior Member
Hello users@openvz.org

I'm trying to upgrade our rhel5 based openvz servers to rhel6 but I got
problem with iptables. If I try to use firewall inside container, I can
load rules, but firewall rejects all incoming packets. Host is redhet-6
and container is centos-6. I tested with kernels

vzkernel-2.6.32-042stab044.17.x86_64
vzkernel-2.6.32-042stab048.1.x86_64
vzkernel-2.6.32-042stab049.2.x86_64

My firewall config
# Generated by iptables-save v1.4.7 on Wed Feb 1 13:05:26 2012
*mangle
:PREROUTING ACCEPT [2:381]
:INPUT ACCEPT [2:381]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:559]
:POSTROUTING ACCEPT [4:559]
COMMIT
# Completed on Wed Feb 1 13:05:26 2012
# Generated by iptables-save v1.4.7 on Wed Feb 1 13:05:26 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:559]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Feb 1 13:05:26 2012

Is it know problem or is it my misconfiguration? Firewall on redhat-5 is
functioning fine.


--
Mikko Hirvonen <Mikko.V.Hirvonen@helsinki.fi>
Helsingin yliopisto / Tietotekniikkakeskus / Verkkopalvelut

Report message to a moderator

Re: RHEL6 and stateful firewall inside container [message #45143 is a reply to message #45140] Wed, 01 February 2012 12:39 Go to previous messageGo to next message
Vasily Averin is currently offline  Vasily Averin
Messages: 17
Registered: April 2008
Junior Member
Hi Mikko,

1) You need to enable conntrack support for container, it is disabled by default.
IIRC following command should be enough to enable conntrack support for specified container only:
# vzctl set <CTID> --iptables iptable_filter --iptables ip_conntrack --save

2) Also you need to load all modules on the host before loading of rules inside container. Container cannot load modules, even indirectly. that's why loading of iptables rules failed inside container.
we recommend to add all required modules into iptables service configuration on the host.
on CentOS6 nodes you need to add all used modules into IPTABLES_MODULES variable in /etc/sysconfig/iptables-config file.

thank you,
Vasily Averin

On 02/01/2012 03:17 PM, Mikko Vasili Hirvonen wrote:
> Hello users@openvz.org
>
> I'm trying to upgrade our rhel5 based openvz servers to rhel6 but I got
> problem with iptables. If I try to use firewall inside container, I can
> load rules, but firewall rejects all incoming packets. Host is redhet-6
> and container is centos-6. I tested with kernels
>
> vzkernel-2.6.32-042stab044.17.x86_64
> vzkernel-2.6.32-042stab048.1.x86_64
> vzkernel-2.6.32-042stab049.2.x86_64
>
> My firewall config
> # Generated by iptables-save v1.4.7 on Wed Feb 1 13:05:26 2012
> *mangle
> :PREROUTING ACCEPT [2:381]
> :INPUT ACCEPT [2:381]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [4:559]
> :POSTROUTING ACCEPT [4:559]
> COMMIT
> # Completed on Wed Feb 1 13:05:26 2012
> # Generated by iptables-save v1.4.7 on Wed Feb 1 13:05:26 2012
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [4:559]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Wed Feb 1 13:05:26 2012
>
> Is it know problem or is it my misconfiguration? Firewall on redhat-5 is
> functioning fine.
>
>

Report message to a moderator

Re: RHEL6 and stateful firewall inside container [message #45144 is a reply to message #45143] Wed, 01 February 2012 12:41 Go to previous messageGo to next message
Vasily Averin is currently offline  Vasily Averin
Messages: 17
Registered: April 2008
Junior Member
On 02/01/2012 04:39 PM, Vasily Averin wrote:
> Hi Mikko,
>
> 1) You need to enable conntrack support for container, it is disabled by default.
> IIRC following command should be enough to enable conntrack support for specified container only:
> # vzctl set <CTID> --iptables iptable_filter --iptables ip_conntrack --save

Sorry, I did not noticed that you're using mangle table too, so you need to add also "--iptables iptable_mangle" into command above.

> 2) Also you need to load all modules on the host before loading of rules inside container. Container cannot load modules, even indirectly. that's why loading of iptables rules failed inside container.
> we recommend to add all required modules into iptables service configuration on the host.
> on CentOS6 nodes you need to add all used modules into IPTABLES_MODULES variable in /etc/sysconfig/iptables-config file.
>
> thank you,
> Vasily Averin
>
> On 02/01/2012 03:17 PM, Mikko Vasili Hirvonen wrote:
>> Hello users@openvz.org
>>
>> I'm trying to upgrade our rhel5 based openvz servers to rhel6 but I got
>> problem with iptables. If I try to use firewall inside container, I can
>> load rules, but firewall rejects all incoming packets. Host is redhet-6
>> and container is centos-6. I tested with kernels
>>
>> vzkernel-2.6.32-042stab044.17.x86_64
>> vzkernel-2.6.32-042stab048.1.x86_64
>> vzkernel-2.6.32-042stab049.2.x86_64
>>
>> My firewall config
>> # Generated by iptables-save v1.4.7 on Wed Feb 1 13:05:26 2012
>> *mangle
>> :PREROUTING ACCEPT [2:381]
>> :INPUT ACCEPT [2:381]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [4:559]
>> :POSTROUTING ACCEPT [4:559]
>> COMMIT
>> # Completed on Wed Feb 1 13:05:26 2012
>> # Generated by iptables-save v1.4.7 on Wed Feb 1 13:05:26 2012
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [4:559]
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>> # Completed on Wed Feb 1 13:05:26 2012
>>
>> Is it know problem or is it my misconfiguration? Firewall on redhat-5 is
>> functioning fine.
>>
>>
>

Report message to a moderator

Re: RHEL6 and stateful firewall inside container [message #45154 is a reply to message #45144] Thu, 02 February 2012 08:51 Go to previous message
masse
Messages: 2
Registered: January 2010
Junior Member
Thank you Vasily. It is functioning now. I saw it is documented in vzctl
man page too.

On 02/01/2012 02:41 PM, Vasily Averin wrote:
> On 02/01/2012 04:39 PM, Vasily Averin wrote:
>> Hi Mikko,
>>
>> 1) You need to enable conntrack support for container, it is disabled by default.
>> IIRC following command should be enough to enable conntrack support for specified container only:
>> # vzctl set <CTID> --iptables iptable_filter --iptables ip_conntrack --save
>
> Sorry, I did not noticed that you're using mangle table too, so you need to add also "--iptables iptable_mangle" into command above.
>
>> 2) Also you need to load all modules on the host before loading of rules inside container. Container cannot load modules, even indirectly. that's why loading of iptables rules failed inside container.
>> we recommend to add all required modules into iptables service configuration on the host.
>> on CentOS6 nodes you need to add all used modules into IPTABLES_MODULES variable in /etc/sysconfig/iptables-config file.
>>
>> thank you,
>> Vasily Averin
>>
>> On 02/01/2012 03:17 PM, Mikko Vasili Hirvonen wrote:
>>> Hello users@openvz.org
>>>
>>> I'm trying to upgrade our rhel5 based openvz servers to rhel6 but I got
>>> problem with iptables. If I try to use firewall inside container, I can
>>> load rules, but firewall rejects all incoming packets. Host is redhet-6
>>> and container is centos-6. I tested with kernels
>>>
>>> vzkernel-2.6.32-042stab044.17.x86_64
>>> vzkernel-2.6.32-042stab048.1.x86_64
>>> vzkernel-2.6.32-042stab049.2.x86_64
>>>
>>> My firewall config
>>> # Generated by iptables-save v1.4.7 on Wed Feb 1 13:05:26 2012
>>> *mangle
>>> :PREROUTING ACCEPT [2:381]
>>> :INPUT ACCEPT [2:381]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [4:559]
>>> :POSTROUTING ACCEPT [4:559]
>>> COMMIT
>>> # Completed on Wed Feb 1 13:05:26 2012
>>> # Generated by iptables-save v1.4.7 on Wed Feb 1 13:05:26 2012
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [4:559]
>>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> -A INPUT -p icmp -j ACCEPT
>>> -A INPUT -i lo -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>> COMMIT
>>> # Completed on Wed Feb 1 13:05:26 2012
>>>
>>> Is it know problem or is it my misconfiguration? Firewall on redhat-5 is
>>> functioning fine.
>>>
>>>
>>
>


--
Mikko Hirvonen <Mikko.V.Hirvonen@helsinki.fi>
Helsingin yliopisto / Tietotekniikkakeskus / Verkkopalvelut

Report message to a moderator

Previous Topic: vmstat FPE
Next Topic: A question about Node RAM
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Tue May 07 20:32:44 GMT 2024

Total time taken to generate the page: 0.01504 seconds
Powered by FUDforum Powered by Virtuozzo Containers