openVZ7: iptables [message #52601] |
Wed, 26 October 2016 09:29  |
unlim
Messages: 22 Registered: May 2011 Location: Ukraine
|
Junior Member |
|
|
My cPanel has option "SMTP restrictions".
This option places the following rules into iptables:
-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner mailman -j RETURN
-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner mail -j RETURN
-A OUTPUT -d 127.0.0.1/32 -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner cpanel -j RETURN
-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner root -j RETURN
But on openVZ7 that rules not loaded (except one) and this case all 25 port requests to redirect to localhost - i.e. all email can't be sent from such server.
cPanel support say: "There is something on the node that isn't set that doesn't allow these rules to be loaded."
Is it possible to do smthng with that?
My settings:
HW /etc/sysconfig/iptables-config:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ip_conntrack_netbios_ns ipt_owner ipt_REDIRECT ipt_recent"
CT conf:
NETFILTER="full"
p.s on openVZ6 I also tune IPTABLES_MODULES in the /etc/vz/vz.conf - but seems openVZ7 have no such options now.
[Updated on: Thu, 27 October 2016 11:03] Report message to a moderator
|
|
|
Re: openVZ7: iptables [message #52810 is a reply to message #52601] |
Sun, 16 April 2017 03:52  |
Jcats
Messages: 15 Registered: May 2011 Location: FL
|
Junior Member |
|
|
Yeah the problem is:
# modprobe ipt_owner/xt_owner
modprobe: FATAL: Module ipt_owner/xt_owner not found.
This module just doesn't exist on Virtuozzo Linux 7.
I just noticed this tonight as well which is some what of a shock. I would be interested to hear why this module is missing?
CSF Firewall requires it:
Testing ipt_owner/xt_owner...FAILED [Error: iptables: Invalid argument. Run `dmesg' for more information.] - Required for SMTP_BLOCK and UID/GID blocking features
|
|
|