Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Need basic help with OpehVZ host iptables
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need basic help with OpehVZ host iptables

aFriendaFriend Member

I use the following iptables setting on my dedicated server. If I install the OpenVZ kernel, and run the same tables below for host machine, the host machine can no longer resolve dns.

I am trying to run 1 host with 2 openvz containers (each with their own ip address) for private use. I want the host and containers to have their own ip tables. Your help is appreciated.

iptables -F

Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT

Accept all established inbound connections

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow all outbound traffic - you can modify this to only allow certain traffic

iptables -A OUTPUT -j ACCEPT

Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow SSH connections

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

add some custom ports that need to be opened

iptables -A INPUT -p tcp --dport 17711 -j ACCEPT
iptables -A INPUT -p tcp --dport 17712 -j ACCEPT

Allow ping

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

Log iptables denied calls

iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Reject all other inbound - default deny unless explicitly allowed policy

with the openvz kernel, the following line blocks all outbound traffic from host

iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

ONLY on OpenVZ Head Node This allows access to OpenVZ Containers

iptables -P FORWARD ACCEPT
iptables -F FORWARD

echo "*** outputting the iptables settings before restart "
iptables -L -n
iptables-save | tee /etc/sysconfig/iptables

echo "*** restarting iptables "
service iptables restart

echo "*** outputting the iptables settings after restart "
iptables -L -n

Comments

  • edited July 2014

    Hello!

    It's looks like this feature/bug https://bugzilla.openvz.org/show_bug.cgi?id=2755 if you really need connection tracking on CT0 (hardware node).

    I can copy main part about this issue:

    Due to conntrack impact on venet performance, conntrack need to be disabled
    on the host system (it will still work for containers).

    Adding the following option to /etc/modprobe.d/openvz.conf

       options nf_conntrack ip_conntrack_disable_ve0=1
    

    This change will take effect only after the next reboot.

    NOTE: IF YOU NEED conntrack functionality, edit $file NOW,
    changing =1 to =0. DO NOT REMOVE the line, or it will be re-added!

    Thanked by 1aFriend
  • After this fixes you should reboot your node.

  • Thanks pavel. I will try this soon once I have a chance to bring the dedi down.

  • You could try do this without reboot. You can do /etc/init.d/vz stop, all CT will be suspended. After this you should rmmod all iptables modules from lsmod and then start nf_conntrack again with fixed config: modprobe nf_conntrack.

    After this all be fine.

  • aFriendaFriend Member
    edited July 2014

    I believe these instructions worked for me! Thx Pavel! I believe I just did a machine reboot - I didnt try without reboot.

  • Welcome :)

    Thanked by 1csofts
Sign In or Register to comment.