Article ID: 9630, created on Feb 1, 2011, last review on Aug 12, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.6
  • Virtuozzo containers for Linux 4.0
  • Virtuozzo for Linux 3.x


For newer versions of Parallels Containers, refer to this article.

Symptoms vary and may include:
-          Some iptables rules not working
-          Getting the following error when trying to create an iptables rule in the NAT table or when trying to use STATE module:
# iptables -t nat -L
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.


This problem usually occurs because connection tracking (the “conntracks” module) is disabled on your PVC HW Node by default, and thus iptables is not state-full in the default installation.
You may verify this by checking whether you get the same output as below:
# grep conntrack /etc/modprobe.conf
options ip_conntrack ip_conntrack_disable_ve0=1

When “conntracks” is disabled, the NAT table is absent in iptables:
# cat /proc/net/ip_tables_names

Therefore, it is impossible to use the ip_nat and ipt_state modules on the HW Node.


Note: STATE module functionality of iptables may be replaced by adding explicit complimentary rules for INPUT and OUTPUT chains.
If you are not satisfied by that workaround or if you need the NAT table functionality, continue reading further.
Before you enable “conntracks,” we strongly recommend considering the following notes and warnings:
Warning 1: Enabling connection tracking uses a lot of resources.
Warning 2: With enabled “conntracks” HW Node may become completely unreachable from the network when you have a high network load.
That is because the number of connection tracking slots is limited for a physical server. Enabling "conntracks" is especially dangerous for a PVC HW Node, because it allocates two tracking slots for each connection to a container – one for external connection and another one for connecting the HW Node with the container. Thus, if a container opens too many connections, the HW Node will not be able to create any new connections.
Such a situation might arise due to a DDoS attack of any container. The HW Node administrator won't be able to stop it by stopping a CT or adding iptables rules because they won't be able to log in to the Node.
How to enable “conntracks”:
  1. Check that all necessary modules are loaded on the Hardware Node:
    [root@pvcfl46x64 ~]# lsmod | grep ipt
    ipt_REDIRECT 34944 0
    iptable_nat 43404 0
    ip_nat 53520 4 ipt_REDIRECT,ip_nat_irc,ip_nat_ftp,iptable_nat
    ip_conntrack 101396 10 ip_conntrack_netbios_ns,ip_nat_irc,ip_nat_ftp,xt_helper,xt_conntrack,ip_conntrack_irc,ip_conntrack_ftp,xt_state,iptable_nat,ip_nat
    ipt_recent 43404 1
    ipt_LOG 39808 1
    ipt_TOS 35200 0
    ipt_ttl 34816 0
    ipt_TCPMSS 37248 0
    iptable_mangle 37888 1
    iptable_filter 37760 2
    ipt_tos 34560 0
    ipt_REJECT 39812 0
    ip_tables 57440 3 iptable_nat,iptable_mangle,iptable_filter
    x_tables 52744 21 ipt_REDIRECT,xt_helper,xt_conntrack,xt_state,iptable_nat,ipt_recent,ipt_LOG,ipt_TOS,xt_comment,xt_length,ipt_ttl,xt_tcpmss,ipt_TCPMSS,xt_multiport,xt_limit,ipt_tos,ipt_REJECT,ip_tables,ip6t_REJECT,xt_tcpudp,ip6_tables
    [root@pvcfl46x64 ~]#
  2. Add those modules to iptables configuration on the Node:
    [root@pvcfl46x64 ~]# egrep '^IPTABLES_MODULES=' /etc/sysconfig/iptables-config
    IPTABLES_MODULES="ipt_comment ipt_tcp iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT ipt_state ip_conntrack_netbios_ns"
    [root@pvcfl46x64 ~]#
  3. Edit the /etc/modprobe.conf and set ip_conntrack_disable_ve0=0:
    [root@pvcfl46x64 ~]# grep conntrac /etc/modprobe.conf
    options ip_conntrack ip_conntrack_disable_ve0=0
    [root@pvcfl46x64 ~]#
  4. Enable iptables logging to verify it works:
    [root@pvcfl46x64 ~]# egrep "^kern" /etc/syslog.conf
    kern.* /var/log/iptables.log
    [root@pvcfl46x64 ~]#
  5. Restart iptables:
    [root@pvcfl46x64 ~]# service iptables restart
    Flushing firewall rules: [ OK ]
    Setting chains to policy ACCEPT: nat mangle filter [ OK ]
    Unloading iptables modules: [FAILED]
    Applying iptables firewall rules: [ OK ]
    Loading additional iptables modules: ipt_comment ipt_tcp iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT ipt_state[ OK ]track_netbios_ns
    [root@pvcfl46x64 ~]#
  6. Restart syslog:
    [root@pvcfl46x64 ~]# service syslog restart
    Shutting down kernel logger: [ OK ]
    Shutting down system logger: [ OK ]
    Starting system logger: [ OK ]
    Starting kernel logger: [ OK ]
    [root@pvcfl46x64 ~]#
  7. Add a test rule, e.g., one to track new SSH connections:
    [root@pvcfl46x64 ~]# iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name ssh_attempt --rsource -j LOG --log-prefix "SSH connection attempt: "
    [root@pvcfl46x64 ~]#
  8. Avoid tracking any other TCP connections to save system resources:
    iptables -t raw -I PREROUTING ! --dport 22 -j NOTRACK
  9. Try to log in to the server via SSH while monitoring the log:
    [root@pvcfl46x64 ~]# tail -f /var/log/iptables.log
    Mar 10 07:09:32 pvcfl46x64 kernel: SSH connection attempt: IN=eth0 OUT= MAC=00:1c:42:43:65:5c:00:1c:c0:46:1f:e5:08:00 SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=40718 DF PROTO=TCP SPT=1478 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0


Q: What exactly does this option do?
A: This option controls the  tracking of packets in the Node's environment. When it is disabled, packets are accepted, routed, etc., but the kernel does not store any information in regards to the packet's connections, as it considers each packet to be a complete unit.
This option also has implications for NAT. For NAT, you need to have the following information: you need to determine the first packet of a connection and decide which of the next packets belongs to this first packet, i.e., which packet should be considered a "connection."

Additional information

For information on how to configure conntrack on PVCfL 4.7 nodes, refer to this article:
113000 Issues with firewall on HW Node - Impossible to use ip_nat and ipt_state modules

e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 9b9439294978ca011521bd467a069524 36627b12981f68a16405a79233409a5e 35c16f1fded8e42577cb3df16429c57a 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF