Symptoms
Since Virtuozzo Server 6.0 Update 6 IPTABLES was replaced by NETFILTER.
The new vzctl --netfilter command allows you to set the state of iptables modules
for backup/restore or live migration. If some of the iptables modules allowed for a Container are not loaded on the Hardware Node where that Container has been restored or migrated, they will be automatically loaded when that Container starts.
Which modules can be managed by netfilter?
Resolution
netfilter include 4 modes:
- disabled - no modules are allowed.
- stateless - (default) all modules except NAT and conntracks are allowed.
(iptable_filter, iptable_mangle, ipt_limit, ipt_multiport, ipt_tos, ipt_TOS,ipt_REJECT, ipt_TCPMSS, ipt_tcpmss, ipt_ttl, ipt_LOG,ipt_length,ipt_state, ipt_helper, ipt_owner) - stateful - all modules except NAT are allowed.
(iptable_filter, iptable_mangle, ipt_limit, ipt_multiport, ipt_tos, ipt_TOS,
ipt_REJECT, ipt_TCPMSS, ipt_tcpmss, ipt_ttl, ipt_LOG,ipt_length, ip_conntrack,
ip_conntrack_ftp, ip_conntrack_irc, ipt_conntrack, ipt_state, ipt_helper, ipt_owner) - full - all modules are allowed.
(iptable_filter, iptable_mangle, ipt_limit, ipt_multiport, ipt_tos, ipt_TOS,
ipt_REJECT, ipt_TCPMSS, ipt_tcpmss, ipt_ttl, ipt_LOG,ipt_length, ip_conntrack,
ip_conntrack_ftp, ip_conntrack_irc, ipt_conntrack, ipt_state, ipt_helper,
iptable_nat, ip_nat_ftp, ip_nat_irc, ipt_owner)
Examples
netfilter mode should be configured for stopped container only.
disable iptables modules for container
101vzctl set 101 --netfilter disabled --saveenable all iptables modules for container
101vzctl set 101 --netfilter full --save
Additional information
For more information regarding IPTABLES configuration refer to [HUB] Configuring IPTABLES on the node and inside containers