Powered by Blogger.

Iptables required modules not available in OpenVZ container

By Unknown Posted On 11:48 // Leave a Comment

Hi, I have an issue with a one of the OpenVZ hardware node I wanted to use for my personal stuff, I have setup HW node in past and also in their container had successfully installed CSF firewall.


But this particular node is giving me problem (centos 6.5).. on its containers running CentOS giving following error if I try to run csftest.pl :


Inside CT



Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: No chain/target/match by that name.] - Required for csf to function Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...FAILED [Error: iptables: No chain/target/match by that name.] - Required for CONNLIMIT feature Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for MESSENGER feature Testing iptable_nat/ipt_DNAT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for csf.redirect feature


RESULT: csf will not function on this server due to FATAL errors from missing modules [1]



On Hardware Node



lsmod | grep ip


ip6t_REJECT 4711 0 ip6table_mangle 3669 0 ip6table_filter 3033 0 ip6_tables 18988 2 ip6table_mangle,ip6table_filter iptable_nat 6302 0 nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat iptable_mangle 3493 0 iptable_filter 2937 1 xt_multiport 2716 0 nf_conntrack_ipv4 9946 3 iptable_nat,nf_nat nf_conntrack 80313 8 vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,xt_state,nf_conntrack_ipv4 nf_defrag_ipv4 1531 1 nf_conntrack_ipv4 ipt_LOG 6405 0 ipt_REJECT 2399 0 ip_tables 18119 3 iptable_nat,iptable_mangle,iptable_filter ipv6 322874 110 vzrst,ip6t_REJECT,ip6table_mangle



I have already added modules list in /etc/vz/vz.conf as :



IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"



I have done this in past on other nodes and essentially it just takes making sure required mod is loaded on HW node and then entries in vz.conf


But this time its not working, I have open vz 2.6.32-042stab090.2 kernel


Have set cat /etc/modprobe.d/openvz.conf

options nf_conntrack ip_conntrack_disable_ve0=0


So that all modules are enabled by default...


Now whats missing ?


http://ift.tt/1dvHQ0Z
Labels: ,

0 comments:

Post a Comment