Re: [Users] RHEL6 and stateful firewall inside container

Wed, 01 Feb 2012 04:43:53 -0800 

Hi Mikko,

1) You need to enable conntrack support for container, it is disabled by 
default.
IIRC following command should be enough to enable conntrack support for 
specified container only:
# vzctl set <CTID> --iptables iptable_filter --iptables ip_conntrack --save 

2) Also you need to load all modules on the host before loading of rules inside 
container. Container cannot load modules, even indirectly. that's why loading 
of iptables rules failed inside container.
we recommend to add all required modules into iptables service configuration on 
the host.
on CentOS6 nodes you need to add all used modules into IPTABLES_MODULES 
variable in /etc/sysconfig/iptables-config file.

thank you,
        Vasily Averin

On 02/01/2012 03:17 PM, Mikko Vasili Hirvonen wrote:
> Hello users@openvz.org
> 
> I'm trying to upgrade our rhel5 based openvz servers to rhel6 but I got
> problem with iptables. If I try to use firewall inside container, I can
> load rules, but firewall rejects all incoming packets. Host is redhet-6
> and container is centos-6. I tested with kernels
> 
> vzkernel-2.6.32-042stab044.17.x86_64
> vzkernel-2.6.32-042stab048.1.x86_64
> vzkernel-2.6.32-042stab049.2.x86_64
> 
> My firewall config
> # Generated by iptables-save v1.4.7 on Wed Feb  1 13:05:26 2012
> *mangle
> :PREROUTING ACCEPT [2:381]
> :INPUT ACCEPT [2:381]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [4:559]
> :POSTROUTING ACCEPT [4:559]
> COMMIT
> # Completed on Wed Feb  1 13:05:26 2012
> # Generated by iptables-save v1.4.7 on Wed Feb  1 13:05:26 2012
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [4:559]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Wed Feb  1 13:05:26 2012
> 
> Is it know problem or is it my misconfiguration? Firewall on redhat-5 is
> functioning fine.
> 
> 

_______________________________________________
Users mailing list
Users@openvz.org
https://openvz.org/mailman/listinfo/users

Reply via email to