Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Iptables required modules not available in OpenVZ container
New on LowEndTalk? Please Register and read our Community Rules.

Iptables required modules not available in OpenVZ container

SaahibSaahib Member

Hi,
I have an issue with a one of the OpenVZ hardware node I wanted to use for my personal stuff, I have setup HW node in past and also in their container had successfully installed CSF firewall.

But this particular node is giving me problem (centos 6.5).. on its containers running CentOS giving following error if I try to run csftest.pl :

Inside CT

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: No chain/target/match by that name.] - Required for csf to function
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: No chain/target/match by that name.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for csf.redirect feature

RESULT: csf will not function on this server due to FATAL errors from missing modules [1]

On Hardware Node

lsmod | grep ip

ip6t_REJECT 4711 0
ip6table_mangle 3669 0
ip6table_filter 3033 0
ip6_tables 18988 2 ip6table_mangle,ip6table_filter
iptable_nat 6302 0
nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat
iptable_mangle 3493 0
iptable_filter 2937 1
xt_multiport 2716 0
nf_conntrack_ipv4 9946 3 iptable_nat,nf_nat
nf_conntrack 80313 8 vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,xt_state,nf_conntrack_ipv4
nf_defrag_ipv4 1531 1 nf_conntrack_ipv4
ipt_LOG 6405 0
ipt_REJECT 2399 0
ip_tables 18119 3 iptable_nat,iptable_mangle,iptable_filter
ipv6 322874 110 vzrst,ip6t_REJECT,ip6table_mangle

I have already added modules list in /etc/vz/vz.conf as :

IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

I have done this in past on other nodes and essentially it just takes making sure required mod is loaded on HW node and then entries in vz.conf

But this time its not working,
I have open vz 2.6.32-042stab090.2 kernel

Have set
cat /etc/modprobe.d/openvz.conf
options nf_conntrack ip_conntrack_disable_ve0=0

So that all modules are enabled by default...

Now whats missing ?

Comments

  • jarjar Provider
    edited June 2014

    Every guide you find on google is now wrong. Fortunately, the new way is even easier.

    http://openvz.org/Man/vzctl.8#Netfilter_.28iptables.29_control_parameters

    Set to full.

    Thanked by 1Magiobiwan

    Founder @ MXroute

  • SaahibSaahib Member
    edited June 2014

    Thanks for the pointer, it was really helpful.

    Now today when I carefully observed vz.conf , found this :

    WARNING: IPTABLES parameter is deprecated,
    use per-container (not global!) NETFILTER instead

    So, its now per container affair ... !!!

  • It's not that hard. It's actually easier than the old method was, given that before you had to give it ALL the iptables modules manually. Now it's just one command and done.

    BlueVM | Best VPS Deals [~] 1GBPS, RAID-10, OpenVZ/KVM, 8 locations. [~] Feathur VPS Control Panel!
  • csoftscsofts Member

    i am also facing this issue..when i test the iptables .this issue is coming.This error is coming in my all Vps. How can i configure this from Dedicated Server.i am using Openvz.
    Testing iptables...

    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: No chain/target/match by that name.] - Required for csf to function
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...FAILED [Error: iptables: No chain/target/match by that name.] - Required for CONNLIMIT feature
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for MESSENGER feature
    Testing iptable_nat/ipt_DNAT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for csf.redirect feature

    RESULT: csf will not function on this server due to FATAL errors from missing modules [1]
    ...Done.

    You should restart csf after having run this test.

  • nstormnstorm Member

    Its a long time since it was possible to use it per container. That is a good thing. You don't want to have every container all the same modules.

    But the bad thing is new NETFILTER option, which "replaces obsoleted --iptables". Its easier to use, but it doesn't offers such flexibility as --iptables does. What if I want to enable my custom l7 modules? Hopefully the means of "obsolete" is just wrong and they leave --iptables option as alternative as is.

  • jarjar Provider
    edited June 2014

    nstorm said: Hopefully the means of "obsolete" is just wrong

    Possible. I mean UBC values still have many valuable purposes despite the hilarious notion in their documentation that vSwap is it's replacement. Right, because a swap memory trick replaces tcpsndbuf....

    Sometimes I don't know what they're thinking when they word things the way that they do.

    Founder @ MXroute

  • SaahibSaahib Member

    @nstorm said:
    Its a long time since it was possible to use it per container. That is a good thing. You don't want to have every container all the same modules.

    But the bad thing is new NETFILTER option, which "replaces obsoleted --iptables". Its easier to use, but it doesn't offers such flexibility as --iptables does. What if I want to enable my custom l7 modules? Hopefully the means of "obsolete" is just wrong and they leave --iptables option as alternative as is.

    Well, thats what came first in my mind, they further said in docs that in future there will be no need of NETFILTER either as will be available by default.

  • csoftscsofts Member

    anybody did not tell me about my question.i am still waiting how can i fix this issue?

  • SaahibSaahib Member

    @csofts said:
    anybody did not tell me about my question.i am still waiting how can i fix this issue?

    On your host node (assuming CTID is 1011) type following:

    vzctl set 1011 --netfilter full --save

    For more details, read the link provided by jar in second post here.

  • csoftscsofts Member

    @Saahib said:
    For more details, read the link provided by jar in second post here.

    I have setup this.
    vzctl set 102 --netfilter full --save
    after that i received on consol this error.

    Last login: Fri Jul 4 15:40:28 2014 from 182.186.213.142
    [[email protected] ~]# vzctl set 102 --netfilter full --save
    Unable to set iptables/netfilter on a running container
    WARNING: Some of the parameters could not be applied to a running container.
    Please consider using --setmode option
    UB limits were set successfully
    CT configuration saved to /etc/vz/conf/102.conf
    [[email protected] ~]#

    is this ok?

  • SaahibSaahib Member

    Thats fine, on next container reboot, things should be as desired.
    You can use so that it restarts itself for applying changes you made..

    vzctl set 1011 --netfilter full --save --setmode restart

  • csoftscsofts Member

    Thank you so much after 2 months i have resolve this issue.

  • csoftscsofts Member

    good News.

    Testing iptables...

    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK

    RESULT: csf should function on this server

  • SaahibSaahib Member

    Thats good .. good luck Junaid.

  • csoftscsofts Member

    @Saahib said:
    Thats good .. good luck Junaid.

    Saahib now i am facing another issue. Ftp is stops on MLSD. ftp is not working with CSF firewall.tell me solution

  • SaahibSaahib Member

    If its only because of Firewall, then in /etc/csf/csf.conf , search for TCP_IN and TCP_OUT and see if port 30000:35000 is added, If not Do add the port as 30000:35000 .

    Now restart CSF on container.. that should solve it.

  • csoftscsofts Member

    Yes i was resolved this issue. thanks for answer.

Sign In or Register to comment.