OpenVZ Forum


Home » General » Support » new centos update broke iptables
new centos update broke iptables [message #51359] Sun, 27 April 2014 12:40 Go to next message
disco is currently offline  disco
Messages: 1
Registered: April 2014
Junior Member
Hy,

with the recent update of the vzkernel to 2.6.32-042stab088.4 on centos 6.5 iptables's nat stopped working.

this is what I get when i try to start iptables


iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Applying firewall rules: iptables-restore v1.4.7: iptables-restore: unable to initialize table 'nat'

Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
                                                           [FAILED]


Re: new centos update broke iptables [message #51364 is a reply to message #51359] Mon, 28 April 2014 07:38 Go to previous messageGo to next message
Paparaciz
Messages: 302
Registered: August 2009
Senior Member
just add iptable_nat to global or to CT config file.

as example:
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length iptable_nat"

after adding it you will need to restart vz service, and/or stop and start CT
Re: new centos update broke iptables [message #51391 is a reply to message #51359] Mon, 05 May 2014 19:05 Go to previous messageGo to next message
eega is currently offline  eega
Messages: 3
Registered: February 2014
Junior Member
Its the same for me, however, it broke iptables on the host! How can I fix this?
Re: new centos update broke iptables [message #51395 is a reply to message #51359] Tue, 06 May 2014 07:04 Go to previous messageGo to next message
Paparaciz
Messages: 302
Registered: August 2009
Senior Member
it seems there is 2 separate bugs there.

eega,
recent vzctl version disabled conntrack on ve0:

https://bugzilla.openvz.org/show_bug.cgi?id=2755

so you can change back setting:
echo 'options nf_conntrack ip_conntrack_disable_ve0=0' > /etc/modprobe.d/openvz.conf

reboot HN and should work ok.

for nat to work inside CT needs to be more investigated

[Updated on: Thu, 08 May 2014 05:43]

Report message to a moderator

Re: new centos update broke iptables [message #51396 is a reply to message #51359] Tue, 06 May 2014 07:44 Go to previous messageGo to next message
Paparaciz
Messages: 302
Registered: August 2009
Senior Member
and after adding to iptable_nat to /etc/vz/vz.conf can't reproduce "disco" mentioned problem...
Re: new centos update broke iptables [message #51397 is a reply to message #51359] Tue, 06 May 2014 08:07 Go to previous messageGo to next message
eega is currently offline  eega
Messages: 3
Registered: February 2014
Junior Member
Thank's, that fixed it! Smile
Re: new centos update broke iptables [message #51405 is a reply to message #51395] Wed, 07 May 2014 16:51 Go to previous messageGo to next message
Grrruk is currently offline  Grrruk
Messages: 1
Registered: May 2014
Junior Member
Paparaciz, you saved me! It was incredibly difficult to find the solution. I have no NAT at all, but my iptables configuration a little bit hairy and suddenly hardware node became inaccessible after that update (VMs were ok, but it was impossible to log in to HN in any way). Fortunately I had iLO access to HN...
Re: new centos update broke iptables [message #51414 is a reply to message #51359] Tue, 20 May 2014 07:06 Go to previous message
ccto is currently offline  ccto
Messages: 61
Registered: October 2005
Member
ref.: http://kb.parallels.com/en/9630
Previous Topic: PHYSPAGES + SWAPPAGES limit
Next Topic: Ubuntu 12.04 with NON VZ Kernel?
Goto Forum:
  


Current Time: Thu Oct 10 17:26:42 GMT 2024

Total time taken to generate the page: 0.05526 seconds