Article ID: 6691, created on Sep 22, 2009, last review on Aug 12, 2014

  • Applies to:
  • Virtuozzo containers for Linux


When trying to add a rule to a container's firewall via Virtuozzo Power Panel (VZPP) or Parallels Power Panel (PPP) on Parallels Virtuozzo Containers (PVC) 3.0 or PVC 4.0, the following error is shown:

Error:Failed to add the firewall rule to the Input chain.


The reason for this problem is that the Debian/Ubuntu OSes have "iptables" module support at the kernel level, but these OSes have no support for general iptables configuration, nor a service for adjusting it.


To work around this issue, you may create your own version of the OS EZ template and include configuration file support (/etc/default/iptables and /etc/init.d/iptables) from the old distribution (e.g., Debian Woody). You will need to modify pre-install and post-install scripts for the specific OS template to apply iptables changes. 
See an example of configuration settings at the above link, e.g., iptables_1.2.6a-5.0woody2_i386.deb.

The attached script performs all necessary operations automatically, so newly created containers will not have this problem.
It can be used in the following way:
~# wget -c
~# tar -xvzf pva-1994-fix.tgz
~# cd PVA-1994/
~# ./ debian-5.0-x86_64

NOTE: You will need to update the cache after patch installation.
~# vzpkg update cache debian-5.0-x86_64

To fix the issue on containers that were created before the patch was installed, follow these steps:
1. Put files from the attached archive inside a container in /etc/default/ and /etc/init.d correspondingly.
2. Create the folder /var/lib/iptables and two empty files inside:
~# mkdir /var/lib/iptables
~# touch /var/lib/iptables/active
~# touch /var/lib/iptables/inactive

3. Add execute permissions to the iptables init script:
~# chmod a+x /etc/init.d/iptables


e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF