Search

Language:  
Search for:

Available article translations:

How do I enable firewall in a Container?

APPLIES TO:
  • Parallels Cloud Server
  • Parallels Virtuozzo Containers for Linux
  • Parallels Server

Resolution

This article describes how to configure firewall service provided by iptables inside a container.

First of all, the required modules should be loaded on the node itself. It can be done either by means of host operating system or by Parallels Virtuozzo Containers service:

  • By means of host OS:

    To load the required modules upon hardware node startup, edit iptables configuration file.

    • On RHEL-based Nodes, by editing the /etc/sysconfig/iptables-config file with your favorite text editor and configuring the value of the IPTABLES_MODULES parameter in this file.
    • On SUSE-based Nodes, by editing the /etc/sysconfig/SuSEfirewall2 file (e.g. by means of the YaST2 configuration tool).

    Example: To enable modules ip_conntrack_netbios_ns, ip_conntrack, and ip_conntrack_ftp on Red Hat Linux Enterprise 5 edit /etc/sysconfig/iptables-config and set IPTABLES_MODULE as follows:

        IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp"
    

    Changes will be applied after hardware node restart.

  • By means of PVC service:

    To load the required modules upon vz service startup, edit vz.conf. Edit /etc/vz/vz.conf and modify IPTABLES parameter:

        IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"
    

    ATTENTION: There must not be any line breaks in IPTABLES value, all in one line. Changes will be applied after service vz restart, which implies containers restart as well.

These modules will be available to all containers.

To restrict iptables modules to the list of particular modules and forbid the others even though they are loaded on the node, use --iptables option of vzctl.

Example: to enable only ip_table, iptable_filter, ip_conntrack, iptable_nat, and iptable_mangle modules and restrict others run the following command:

    ~# vzctl set 101 --save --iptables ip_table --iptables iptable_filter --iptables ip_conntrack --iptables iptable_nat --iptables iptable_mangle

These changes will be applied after the container restart.

Also it might be required to increase numiptent barrier value to be able to add more iptables rules:

    ~# vzctl set 101 --save --numiptent 400

For more information refer to Parallels Virtuozzo Containers for linux User's guide, page 317.

Search words:

Module ip_tables not found

firewall

iptables




909d99074e442b52ce54cc7b31cf065d eb0ea3b827d18de2329b6477e24c1d59 2897d76d56d2010f4e3a28f864d69223 ca05eaf5b843fbd53589c90d7228a6df bf1c3a170005eae151f49ba2720abde9

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 8 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification