Simple IPTables OpenVZ Setup

So after looking and failing to find a good article on how to describe the simple process to set up IPTables on an OpenVZ server, I figured I would write one here. The process is incredibly simple and can be broken down into 3 steps:

  1. Empty out the contents of /etc/sysconfig/iptables
    cat "" > /etc/sysconfig/iptables
  2. Use the following line in /etc/sysconfig/iptables-config:
    IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"
  3. Use the following line in /etc/vz/vz.conf:
    IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state"

After ensuring these three things, just stop both vz and iptables, start iptables, then start vz. You should then be able to use iptables within a virtualized container.

3 Replies to “Simple IPTables OpenVZ Setup”

  1. Yo Den! I have an addition:
    ipt_recent & ipt_REDIRECT should both go in the node/ve vz conf files. Otherwise, you might get

    Testing ip_tables/iptable_filter…OK
    Testing ipt_LOG…OK
    Testing ipt_multiport/xt_multiport…OK
    Testing ipt_REJECT…OK
    Testing ipt_state/xt_state…OK
    Testing ipt_limit/xt_limit…OK
    Testing ipt_recent…FAILED [Error: iptables: Unknown error 4294967295] – Required for PORTFLOOD feature
    Testing ipt_owner…OK
    Testing iptable_nat/ipt_REDIRECT…FAILED [Error: iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)] – Required for MESSENGER feature
    RESULT: csf will function on this server but some features will not work due to some missing iptables modules [2]

    with the script

  2. It amazes me how this stuff remains a secret for months or years considering the hours of frustration the lack of info can cause… Thanks DH

    I still can’t get iptables logging to work, but at least things “seem” to be working now as expected. It seems kernel logging in OpenVZ is a bit of a nightmare?

  3. A nightmare is putting it *very* lightly. Luckily, the OVZ version that ships with RHEL6 servers seems to have far more features and overall a more well-rounded approach to virtualization. It won’t make me change my preference from true virt like KVM/Xen, but it lessens my dislike for it.

Leave a Reply

Your email address will not be published. Required fields are marked *