Article ID: 126136, created on Jul 10, 2015, last review on Jun 17, 2016

  • Applies to:
  • Virtuozzo 6.0

Symptoms

Since Virtuozzo Server 6.0 Update 6 IPTABLES was replaced by NETFILTER.
The new vzctl --netfilter command allows you to set the state of iptables modules for backup/restore or live migration. If some of the iptables modules allowed for a Container are not loaded on the Hardware Node where that Container has been restored or migrated, they will be automatically loaded when that Container starts.
Which modules can be managed by netfilter?

Resolution

netfilter include 4 modes:

  • disabled - no modules are allowed.
  • stateless - (default) all modules except NAT and conntracks are allowed.
    (iptable_filter, iptable_mangle, ipt_limit, ipt_multiport, ipt_tos, ipt_TOS,ipt_REJECT, ipt_TCPMSS, ipt_tcpmss, ipt_ttl, ipt_LOG,ipt_length,ipt_state, ipt_helper, ipt_owner)
  • stateful - all modules except NAT are allowed.
    (iptable_filter, iptable_mangle, ipt_limit, ipt_multiport, ipt_tos, ipt_TOS,
    ipt_REJECT, ipt_TCPMSS, ipt_tcpmss, ipt_ttl, ipt_LOG,ipt_length, ip_conntrack,
    ip_conntrack_ftp, ip_conntrack_irc, ipt_conntrack, ipt_state, ipt_helper, ipt_owner)
  • full - all modules are allowed.
    (iptable_filter, iptable_mangle, ipt_limit, ipt_multiport, ipt_tos, ipt_TOS,
    ipt_REJECT, ipt_TCPMSS, ipt_tcpmss, ipt_ttl, ipt_LOG,ipt_length, ip_conntrack,
    ip_conntrack_ftp, ip_conntrack_irc, ipt_conntrack, ipt_state, ipt_helper,
    iptable_nat, ip_nat_ftp, ip_nat_irc, ipt_owner)

Examples

netfilter mode should be configured for stopped container only.

  • disable iptables modules for container 101

    vzctl set 101 --netfilter disabled --save
    
  • enable all iptables modules for container 101

    vzctl set 101 --netfilter full --save
    

Additional information

For more information regarding IPTABLES configuration refer to [HUB] Configuring IPTABLES on the node and inside containers

Search Words

stateless

IPTABLES_MODULES

iptables: Applying firewall rules: FATAL: Module ip_tables not found.

iptables

--netfilter

csf

stateful

2897d76d56d2010f4e3a28f864d69223 c62e8726973f80975db0531f1ed5c6a2 0dd5b9380c7d4884d77587f3eb0fa8ef

Email subscription for changes to this article
Save as PDF