Cerca

Lingua:  
Cerca:

  • Article for your preferred language does not exist. Below is international version of the article.
Versioni tradotte dell'articolo:

How do I enable firewall in a Container?

APPLICABILE A:
  • Parallels Cloud Server
  • Parallels Virtuozzo Containers for Linux
  • Parallels Server

Resolution

This article describes how to configure firewall service provided by iptables inside a container.

First of all, the required modules should be loaded on the node itself. It can be done either by means of host operating system or by Parallels Virtuozzo Containers service:

  • By means of host OS:

    To load the required modules upon hardware node startup, edit iptables configuration file.

    • On RHEL-based Nodes, by editing the /etc/sysconfig/iptables-config file with your favorite text editor and configuring the value of the IPTABLES_MODULES parameter in this file.
    • On SUSE-based Nodes, by editing the /etc/sysconfig/SuSEfirewall2 file (e.g. by means of the YaST2 configuration tool).

    Example: To enable modules ip_conntrack_netbios_ns, ip_conntrack, and ip_conntrack_ftp on Red Hat Linux Enterprise 5 edit /etc/sysconfig/iptables-config and set IPTABLES_MODULE as follows:

        IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp"
    

    Changes will be applied after hardware node restart.

  • By means of PVC service:

    To load the required modules upon vz service startup, edit vz.conf. Edit /etc/vz/vz.conf and modify IPTABLES parameter:

        IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"
    

    ATTENTION: There must not be any line breaks in IPTABLES value, all in one line. Changes will be applied after service vz restart, which implies containers restart as well.

These modules will be available to all containers.

To restrict iptables modules to the list of particular modules and forbid the others even though they are loaded on the node, use --iptables option of vzctl.

Example: to enable only ip_table, iptable_filter, ip_conntrack, iptable_nat, and iptable_mangle modules and restrict others run the following command:

    ~# vzctl set 101 --save --iptables ip_table --iptables iptable_filter --iptables ip_conntrack --iptables iptable_nat --iptables iptable_mangle

These changes will be applied after the container restart.

Also it might be required to increase numiptent barrier value to be able to add more iptables rules:

    ~# vzctl set 101 --save --numiptent 400

For more information refer to Parallels Virtuozzo Containers for linux User's guide, page 317.

Cerca parole:

Module ip_tables not found

firewall

iptables




909d99074e442b52ce54cc7b31cf065d eb0ea3b827d18de2329b6477e24c1d59 2897d76d56d2010f4e3a28f864d69223 ca05eaf5b843fbd53589c90d7228a6df bf1c3a170005eae151f49ba2720abde9

FEEDBACK
Questo articolo è stato utile?
Facci sapere come possiamo migliorarlo.
No
 
 
 
 
 
 
Virtualizzazione di Desktop
- Parallels Desktop 8 per Mac
- Parallels Desktop Switch to Mac Edition
- Enterprise
- Parallels Desktop per Mac Enterprise Edition
- Parallels Management Suite per Microsoft SCCM
- Tutti i Prodotti di virtualizzazione di desktop »
Piattaforme di Hosting & di Automazione di Cloud
Parallels Plesk Panel Suite
- Parallels Plesk Panel
- Parallels Plesk Automation
- Parallels Web Presence
Parallels Automation Suite
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
Parallels Virtualization Suite
- Parallels Cloud Server
- Parallels Virtuozzo Containers
- Parallels Virtual Automation
Servizi & Risorse
- Services Cloud Acceleration
- Servizi professionali
- Servizi di supporto
- Training & Certificazione