OpenVZ Forum


Home » General » Support » openVZ7: iptables
openVZ7: iptables [message #52601] Wed, 26 October 2016 09:29 Go to next message
unlim is currently offline  unlim
Messages: 21
Registered: May 2011
Location: Ukraine
Junior Member
From: *20.18.9.176.clients.your-server.de
My cPanel has option "SMTP restrictions".
This option places the following rules into iptables:

-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner mailman -j RETURN
-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner mail -j RETURN
-A OUTPUT -d 127.0.0.1/32 -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner cpanel -j RETURN
-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner root -j RETURN

But on openVZ7 that rules not loaded (except one) and this case all 25 port requests to redirect to localhost - i.e. all email can't be sent from such server.


cPanel support say: "There is something on the node that isn't set that doesn't allow these rules to be loaded."
Is it possible to do smthng with that?

My settings:
HW /etc/sysconfig/iptables-config:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ip_conntrack_netbios_ns ipt_owner ipt_REDIRECT ipt_recent"

CT conf:
NETFILTER="full"


p.s on openVZ6 I also tune IPTABLES_MODULES in the /etc/vz/vz.conf - but seems openVZ7 have no such options now.

[Updated on: Thu, 27 October 2016 11:03]

Report message to a moderator

Re: openVZ7: iptables [message #52810 is a reply to message #52601] Sun, 16 April 2017 03:52 Go to previous message
Jcats is currently offline  Jcats
Messages: 13
Registered: May 2011
Location: FL
Junior Member
From: *cmdnnj.fios.verizon.net
Yeah the problem is:

# modprobe ipt_owner/xt_owner
modprobe: FATAL: Module ipt_owner/xt_owner not found.

This module just doesn't exist on Virtuozzo Linux 7.

I just noticed this tonight as well which is some what of a shock. I would be interested to hear why this module is missing?

CSF Firewall requires it:

Testing ipt_owner/xt_owner...FAILED [Error: iptables: Invalid argument. Run `dmesg' for more information.] - Required for SMTP_BLOCK and UID/GID blocking features

Previous Topic: filefrag
Next Topic: ovztransfer.sh fails - 276209: Failed to umount ploop on
Goto Forum:
  


Current Time: Mon Jul 24 02:47:41 GMT 2017