iptables module inside openvz container

cause

I'm trying to block a kind of DNS Amp attack by string iptables module inside openvz container.
i've asked vps hoster to enable the modulea and kindly all supported modules are loaded.

The module seemed to be loaded and "string" was appeared in /proc/net/ip_table_matches. but I could not add rules.

A simplest rule returns,

$ sudo iptables -t filter -A INPUT -m string --algo bm --string "test"

iptables: Invalid argument. Run `dmesg' for more information.

Is there something I have to do in container?

The vps is centos6.3 32bit minimal template, uname is
Linux *** 2.6.32-042stab068.8 #1 SMP Fri Dec 7 17:06:14 MSK 2012 i686 i686 i386 GNU/Linux

Thanks.

secforus_ehansen

What does dmesg | tail show after you run that command?

Also, "-t filter" isn't needed for this as filter is the default table.

Damian

Your iptables string doesn't specify what it's supposed to do with matches (no -j argument). It also appears that protocol and port are required with string.

See: http://wiztelsys.com/Article_iptables_bob2.html

cause

Thanks for reply.

@secforus_ehansen
dmesg and /var/log/dmesg show nothing. maybe openvz kernel handle it to hostnode.
tried without "-t filter" but it returns same error.

@Damian
sting module require this option. iptables rules only count packets if no jump target.

cause

I finally found there is a bug in openvz kernel. this problem also happen on my local machine.
now I'm using "recent" module as a substitute. it works with recent openvz kernel. really Thanks.

Damian

@cause said: I finally found there is a bug in openvz kernel.

Did you submit a bug report?

cause

Filed on openvz bugzilla. But it seems the bugilla is not maintained for months...

now I'm using "length" + "recent" dynamic filter to block dns amp attack. it seems work on 2.6.32.* kernel.