Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Iptables problem on OpenVZ
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Iptables problem on OpenVZ

bobbybobby Member
edited March 2012 in General

Never had any trouble with this on any other host regardless of virtualization, but I now have one that that don't support:
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" args. Maybe someone has a solution i can forward them?

Comments

  • Try -A FORWARD instead

  • Probably you can ask your hoster to enable the module 'state' ?

    Thanked by 1Francisco
  • bobbybobby Member

    I have asked, but I am on 5th day without it getting fixed.

  • If they don't know how to load an iptables module and can't google it in 5 days - it's probably time to move on :)

  • JacobJacob Member
    edited March 2012

    Depending on what your network device is, This would only allow new(related) and current(established) packets to enter said device.

    "iptables -A OUTPUT -o eth0/venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT"

    Edit: I found another command which may work, But I am pretty sure they both mean near to the same thing.
    "iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0/venet0 -p tcp"

    Quick 5 Minute google and I found that command.

  • Ah, I thought you were on the host node, not that you were a container. My apologies.

    As @yomero pointed out, you'll need the 'state' module. And as @rds100 followed up, you should probably consider moving on if you aren't getting modules inserted for you.

    What kernel is the host node running?

  • bobbybobby Member

    Damian, it's running 2.6.32.

    Problem is host have said this has been enabled, but it's not, but he will investigate.

    "iptables: No chain/target/match by that name." still..

    Thanks for posts so far, VPS is decent else, so I'd rather keep it (have some use planned if this gets fixed)

    Cheers :)

  • nocomnocom Member

    From iptables conf

    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  • @nocom: That's what he has already, but with a different chain name. I don't think the order of the states matter.

  • nocomnocom Member

    I have this for last 20 days inside fireww.conf, its working already.

  • bobbybobby Member

    Thanks, but Damian is correct, its my own firewall script, but well tested and works like I said everyhwere else :)

  • bobbybobby Member

    @prometeus openvz solution is great, any input hehe?

  • This could also be caused by some incompatibility between the iptables version and the kernel's implementation of the limit module.
    @bobby What's the distribution you use?
    What exactly is the kernel (please paste uname -a)

  • bobbybobby Member

    2.6.32-274.7.1.el5.028stab095.1and im using squeeze32bit

  • @bobby that's actually a 2.6.18 OVZ kernel, it just lies that it is 2.6.32 to make some programs happier.

  • And confirmed that it should work fine with this kernel and squeeze 32bit:


    testtest:~# uname -a
    Linux testtest 2.6.32-274.7.1.el5.028stab095.1 #1 SMP Mon Oct 24 20:49:24 MSD 2011 i686 GNU/Linux
    testtest:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    testtest:~# iptables -L INPUT
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
  • bobbybobby Member

    Thanks for testing! But I'm asking if OVZ providers can provide their magic on hostside :) All my vps' are running my fw script without trouble

  • No magic, just load the xt_state module on the node.

  • bobbybobby Member

    Nm, host fixed it now :)

  • prometeusprometeus Member, Host Rep

    Too late as far i can see :)

  • JacobJacob Member

    Ah, I didn't suggest the state module as @yomero suggested it above so I looked for alternative commands to see if it would act the same as your command in the first post.

    Anyway I'm glad the host got the module enabled and resolved this for you.

Sign In or Register to comment.