Resolution

First of all you should define which iptables modules are available for Containers.

Edit /etc/sysconfig/iptables-config and /etc/sysconfig/vz on the hardware node. Add modules you need into IPTABLES_MODULES= and IPTABLES= lines correspondingly. Please note that all iptables modules in /etc/sysconfig/vz file in IPTABLES parameter should be listed in one single line, no linebreaks are allowed in this parameter.

For example, typical firewall configuration requires the following modules:

The changes will be applied after you load required modules and restart Virtuozzo service (all Containers will be restarted): 

# service vz stop
# service iptables restart
# service vz start

Modules you defined will be available for all Containers. However, you can also define a list of iptables modules for each Container using --iptables option of vzctl utility, e.g.:

vzctl set 101 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save

You will probably need to increase the barrier of numiptent parameter in /proc/user_beancounters using vzctl utility. This parameter limits amount of iptables rules which Container owner is allowed to create. For example, this is how you allow to enter 400 iptables rules on Container 101:

# vzctl set 101 --numiptent 400 --save