RESOLUTION
First of all you should define which iptables modules are available for VEs.
Edit /etc/sysconfig/iptables-config and /etc/sysconfig/vz on the hardware node. Add modules you need into IPTABLES_MODULES= and IPTABLES= lines correspondingly. Please note that all iptables modules in /etc/sysconfig/vz file in IPTABLES parameter should be listed in one single line, no linebreaks are allowed in this parameter.
For example, typical firewall configuration requires the following modules:
ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp The changes will be applied after you load all required modules and restart Virtuozzo service (all VEs will be restarted):
# service vz stop
# service iptables restart
# service vz start Modules you defined will be available for all VEs. However, you can also define a list of iptables modules for each VE using --iptables option of vzctl utility, e.g.:
# vzctl set 101 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
You will probably need to increase the barrier of numiptent parameter in /proc/user_beancounters using vzctl utility. This parameter limits amount of iptables rules which VE owner is allowed to create. For example, this is how you allow to enter 400 iptables rules on VE 101:
# vzctl set 101 --numiptent 400 --save Keywords: firewall, virtuozzo, iptables modules, filter, kernel, iptables, numiptent
English
Chinese
French
German
Japanese
Russian
Spanish