SymptomsWhen trying to add a rule to a container's firewall via Virtuozzo Power Panel (VZPP) or Parallels Power Panel (PPP) on Parallels Virtuozzo Containers (PVC) 3.0 or PVC 4.0, the following error is shown:
Error:Failed to add the firewall rule to the Input chain.
CauseThe reason for this problem is that the Debian/Ubuntu OSes have "iptables" module support at the kernel level, but these OSes have no support for general iptables configuration, nor a service for adjusting it.
ResolutionTo work around this issue, you may create your own version of the OS EZ template and include configuration file support (/etc/default/iptables and /etc/init.d/iptables) from the old distribution (e.g., Debian Woody). You will need to modify pre-install and post-install scripts for the specific OS template to apply iptables changes.
See an example of configuration settings at the above link, e.g., iptables_1.2.6a-5.0woody2_i386.deb.
The attached script performs all necessary operations automatically, so newly created containers will not have this problem.
It can be used in the following way:
~# wget -c http://kb.sp.parallels.com/Attachments/11038/Attachments/pva-1994-fix.tgz
~# tar -xvzf pva-1994-fix.tgz
~# cd PVA-1994/
~# ./install.sh debian-5.0-x86_64
NOTE: You will need to update the cache after patch installation.
~# vzpkg update cache debian-5.0-x86_64
To fix the issue on containers that were created before the patch was installed, follow these steps:
1. Put files from the attached archive inside a container in /etc/default/ and /etc/init.d correspondingly.
2. Create the folder /var/lib/iptables and two empty files inside:
~# mkdir /var/lib/iptables
~# touch /var/lib/iptables/active
~# touch /var/lib/iptables/inactive
3. Add execute permissions to the iptables init script:
~# chmod a+x /etc/init.d/iptables