Article ID: 118909, created on Nov 28, 2013, last review on May 11, 2014

  • Applies to:
  • Virtuozzo
  • Virtuozzo containers for Linux
  • Virtuozzo hypervisor


Need to block alien traffic received on the hardware node.

By default, every hardware node serves as a router (i.e. it has net.ipv4.ip_forward sysctl enabled), and is capable of routing any traffic it receives, according to its routing table. In some network infrastructures, this may lead to unwanted consequences, when the node is incorrectly used as the default gateway to generate abusive traffic.


The issue can be solved in the following way:

  1. Add iptables permissive rules to the FORWARD chain for each container's IP:

    # for veid in `vzlist -Hao veid` ; do for ip in `awk -F\" '/IP_ADDRESS/{print$2}' /etc/vz/conf/$veid.conf | sed 's~ ~\n~g' | awk -F/ '{print$1}' | egrep -v "[a-z]"` ; do iptables -A FORWARD -s $ip -j ACCEPT ; iptables -A FORWARD -d $ip -j ACCEPT ; done ; done
  2. Set the default policy for the FORWARD chain to DROP:

    # iptables -P FORWARD DROP
    # iptables-save > /etc/sysconfig/iptables
  3. Apply the following patches to the vz-net scripts:

    # diff -pruN /etc/sysconfig/vz-scripts/vz-net_add{.orig,}
    --- /etc/sysconfig/vz-scripts/vz-net_add.orig   2013-11-20 12:14:05.910998439 +0700
    +++ /etc/sysconfig/vz-scripts/vz-net_add        2013-11-20 12:19:53.798000008 +0700
    @@ -27,8 +27,6 @@ vzarpipdetect "$IP_ADDR"
     for IP in $IP_ADDR; do
            vzaddrouting $IP
            vzarp add $IP
    +       iptables-save | egrep '\-A FORWARD \-s '$IP'\/32 \-j ACCEPT' >/dev/null || iptables -A FORWARD -s $IP -j ACCEPT
    +       iptables-save | egrep '\-A FORWARD \-d '$IP'\/32 \-j ACCEPT' >/dev/null || iptables -A FORWARD -d $IP -j ACCEPT
     vzarpipset "$IP_ADDR"
     # Save ip address information
    # diff -pruN /etc/sysconfig/vz-scripts/vz-net_del{.orig,}
    --- /etc/sysconfig/vz-scripts/vz-net_del.orig   2013-11-20 12:14:26.390999878 +0700
    +++ /etc/sysconfig/vz-scripts/vz-net_del        2013-11-20 12:19:40.125999253 +0700
    @@ -22,8 +22,6 @@ vzgetnetdev
     for IP in $IP_ADDR; do
            vzdelrouting $IP
            vzarp del $IP
    +        iptables -D FORWARD -s $IP -j ACCEPT || true
    +        iptables -D FORWARD -d $IP -j ACCEPT || true
            # Update ip address information
            if [ "${VE_STATE}" = "running" ]; then
                    cat ${VE_STATE_DIR}/${VEID} | tr ' ' '\n' | \

This way, the traffic, received on the hardware node's network interfaces will be routed only in case the src or dst IP belongs to one of the containers it hosts.

Note: The solution doesn't cover the case, when there are virtual machines configured in routed mode on the same hardware node.

Search Words


a26b38f94253cdfbf1028d72cf3a498b 2897d76d56d2010f4e3a28f864d69223 d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 0dd5b9380c7d4884d77587f3eb0fa8ef

Email subscription for changes to this article
Save as PDF