ramblings of an IT professional
Simple IPTables OpenVZ Setup
So after looking and failing to find a good article on how to describe the simple process to set up IPTables on an OpenVZ server, I figured I would write one here. The process is incredibly simple and can be broken down into 3 steps:
- Empty out the contents of /etc/sysconfig/iptables
cat "" > /etc/sysconfig/iptables
- Use the following line in /etc/sysconfig/iptables-config:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"
- Use the following line in /etc/vz/vz.conf:
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state"
After ensuring these three things, just stop both vz and iptables, start iptables, then start vz. You should then be able to use iptables within a virtualized container.
Yo Den! I have an addition:
ipt_recent & ipt_REDIRECT should both go in the node/ve vz conf files. Otherwise, you might get
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…FAILED [Error: iptables: Unknown error 4294967295] – Required for PORTFLOOD feature
Testing ipt_owner…OK
Testing iptable_nat/ipt_REDIRECT…FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] – Required for MESSENGER feature
RESULT: csf will function on this server but some features will not work due to some missing iptables modules [2]
with the csftest.pl script