Resolution
This article describes how to configure firewall service provided by iptables inside a container.
First of all, the required modules should be loaded on the node itself. It can be done either by means of host operating system or by Parallels Virtuozzo Containers service:
By means of host OS:
To load the required modules upon hardware node startup, edit iptables configuration file.
-
On RHEL-based Nodes, by editing the /etc/sysconfig/iptables-config file with your favorite text editor and configuring the value of the IPTABLES_MODULES parameter in this file.
-
On SUSE-based Nodes, by editing the /etc/sysconfig/SuSEfirewall2 file (e.g. by means of the YaST2 configuration tool).
Example: To enable modules ip_conntrack_netbios_ns, ip_conntrack, and ip_conntrack_ftp on Red Hat Linux Enterprise 5 edit
/etc/sysconfig/iptables-config and set IPTABLES_MODULE as follows:
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp"
Changes will be applied after hardware node restart.
By means of PVC service:
To load the required modules upon
vz service startup, edit vz.conf. Edit
/etc/vz/vz.conf and modify IPTABLES parameter:
IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"
ATTENTION: There must not be any line breaks in IPTABLES value, all in one line.
Changes will be applied after service vz restart, which implies containers restart as well.
These modules will be available to all containers.
To restrict iptables modlues to the list of particular modules and forbid the others even though they are loaded on the node, use
--iptables option of vzctl.
Example: to enable only ip_table, iptable_filter, ip_conntrack, iptable_nat, and iptable_mangle modules and restrict others run the following command:
~# vzctl set 101 --save --iptables ip_table --iptables iptable_filter --iptables ip_conntrack --iptables iptable_nat --iptables iptable_mangle
These changes will be applied after the container restart.
Also it might be required to increase
numiptent barrier value to be able to add more iptables rules:
~# vzctl set 101 --save --numiptent 400
For more information refer to
Parallels Virtuozzo Containers for linux User's guide, page 309.
No
Yes