OpenVZ Forum


Home » International » Russian » IPTables ctstate в VE
IPTables ctstate в VE [message #40325] Wed, 11 August 2010 08:09 Go to next message
Zend is currently offline  Zend
Messages: 5
Registered: February 2010
Junior Member
From: *kiev-city.net
Всем доброго времени суток!

HN - Debian 5.0.5, ядро 2.6.26-24

Список загруженных модулей:
Module                  Size  Used by
vzethdev                9184  0
vznetdev               14564  2
simfs                   4756  1
vzrst                 116564  0
vzcpt                  97860  0
tun                    10148  2 vzrst,vzcpt
vzmon                  23176  5 vzethdev,vznetdev,vzrst,vzcpt
xt_owner                3328  0
ipt_REDIRECT            2560  0
nf_nat_irc              2848  0
nf_nat_ftp              3296  0
iptable_nat             7268  1
nf_nat                 16500  4 ipt_REDIRECT,nf_nat_irc,nf_nat_ftp,iptable_nat
xt_helper               2880  0
nf_conntrack_irc        5892  1 nf_nat_irc
nf_conntrack_ftp        7684  1 nf_nat_ftp
xt_length               2528  0
ipt_LOG                 5924  0
ipt_ttl                 2368  0
xt_tcpmss               2752  0
xt_TCPMSS               4448  0
ipt_REJECT              3552  0
xt_DSCP                 3744  0
xt_dscp                 3136  0
xt_multiport            3584  0
xt_limit                2948  0
iptable_mangle          4640  0
vzdquota               32796  1 [permanent]
ipv6                  242240  33 vzrst,vzcpt,vzmon
vzdev                   3624  4 vzethdev,vznetdev,vzmon,vzdquota
xt_tcpudp               3584  10
nf_conntrack_ipv4      17232  17 iptable_nat,nf_nat
xt_state                2784  9
xt_conntrack            4256  3
nf_conntrack           65480  10 nf_nat_irc,nf_nat_ftp,iptable_nat,nf_nat,xt_helper,nf_conntrack_irc,nf_conntrack_ftp,nf_conntrack_ipv4,xt_state,xt_conntrack
iptable_filter          4288  2
ip_tables              11056  3 iptable_nat,iptable_mangle,iptable_filter
x_tables               14404  18 xt_owner,ipt_REDIRECT,iptable_nat,xt_helper,xt_length,ipt_LOG,ipt_ttl,xt_tcpmss,xt_TCPMSS,ipt_REJECT,xt_DSCP,xt_dscp,xt_multiport,xt_limit,xt_tcpudp,xt_state,xt_conntrack,ip_tables
ext2                   55336  1
loop                   13548  0
psmouse                33104  0
evdev                   8736  0
serio_raw               5508  0
i2c_i801                8688  0
pcspkr                  3200  0
video                  17232  0
rng_core                4708  0
i2c_core               20596  1 i2c_i801
output                  3680  1 video
button                  6864  0
intel_agp              23428  0
agpgart                29576  1 intel_agp
ext3                  106120  1
jbd                    40276  1 ext3
mbcache                 7876  2 ext2,ext3
sd_mod                 22968  4
piix                    7336  0 [permanent]
ide_pci_generic         4676  0 [permanent]
ide_core               97000  2 piix,ide_pci_generic
ata_piix               15236  3
ata_generic             5444  0
libata                141376  2 ata_piix,ata_generic
scsi_mod              130444  2 sd_mod,libata
dock                    9072  1 libata
e100                   29900  0
mii                     5664  1 e100
thermal                15996  0
processor              33568  1 thermal
fan                     4964  0
thermal_sys            11624  4 video,thermal,processor,fan


В IPTables на HN правила с ctstate работают нормально.

В /etc/vz.conf:
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip_conntrack ip_tables"


Но в VE не получается использовать правила с ctstate.
По iptables -L:
FATAL: Could not load /lib/modules/2.6.26-2-openvz-686/modules.dep: No such file or directory
На месте правил с ctstate.


Подскажите, как можно решить подобную проблему?
Re: IPTables ctstate в VE [message #40327 is a reply to message #40325] Wed, 11 August 2010 09:29 Go to previous message
RXL_ is currently offline  RXL_
Messages: 147
Registered: July 2009
Location: Moscow/Russia
Senior Member
From: 82.204.178*
Setting up a firewall that allows per-container configuration
Quote:
If you want to use a firewall inside a container, please load these modules BEFORE starting the container:

Quote:
If you want to use stateful firewall rules (and you should!) you will also need to make sure that 'ipt_state' is in the 'IPTABLES' option in your vz.conf file:


... мы преодолеваем эту трудность без синтеза распределенных прототипов. (с) Жуков М.С.
Previous Topic: Помогите настроить сеть
Next Topic: Временное повисание HN при останоке VE.
Goto Forum:
  


Current Time: Tue Oct 23 17:53:57 GMT 2018