You just need to make sure that iptables is running on the host in some way
or another.If you run lsmod on it you should see these modules:
xt_multiport 12597 2
iptable_filter 12810 2
ip_tables 27473 1 iptable_filter
x_tables 29891 3 xt_multiport,iptable_filter,ip_tables
If it's not there it's not loaded and can't share with the containers. I
have the hosts on a separate and much more secure network so I didn't think
about a firewall.
The easiest thing is to install fail2ban on the host. It just watches ssh
or whatever services you define for brute force attacks by using iptables.
It's useful and sets iptables rules. Alternately setup a firewall on the
host or load the iptables modules in /etc/modules at boot on the host.
On Wed, Jan 15, 2014 at 3:25 AM, Gandhi, Ibha (HP Software) ib...@hp.comwrote:
Hi John,
Even I am facing similar issue, container throws this error:
ubuntu@root-local-machine-2:~$ iptables -L
FATAL: Could not load /lib/modules/3.11.0-12-generic/modules.dep: No such
file or directory
iptables v1.4.12: can't initialize iptables table `filter': Table does not
exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
It’ll be great if you can share what changes you made in init scripts.
Thanks,
- Ibha
*From:* lxc-users-boun...@lists.linuxcontainers.org [mailto:
lxc-users-boun...@lists.linuxcontainers.org] *On Behalf Of *John Baker
*Sent:* Wednesday, January 15, 2014 2:09 AM
*To:* LXC users mailing-list
*Subject:* Re: [lxc-users] iptabes kernel modules not loading in
containers
Yes, that was it thanks.
On Tue, Jan 14, 2014 at 3:31 PM, Stéphane Graber stgra...@ubuntu.com
wrote:
On Tue, Jan 14, 2014 at 03:00:32PM -0500, John Baker wrote:
Hi,
I'm using lxc in 12.04.4 LTS and seem to have a chronic issue with the
iptables modfule not loading inside a container. I have found that it
does
sometimes work and my coworker never seems to have problems with it in
the
servers he runs. But it happens all the time on mine and I can't see
anything at all that we do differently. Sometimes it will start running
inside a container and then mysteriously have stopped next time I check
in.
I can't find any error messages pertaining to it besides the one I get
when
I try to load rules or view the set loaded.
The only fix I have been able to come up with is to manually
copy /lib/modules/kernel ver.-generic/modules.dep and net directory
from
the host into the container. Then it seems willing to load iptables
modules
consistently but always breaks when the kernel is updated on the host and
has to be redone.
Any ideas on what I might be missing? Is there a cgroup I should include
for sharing iptables modules?
Kernel modules aren't loaded per-container but globally for the whole host.
It's not recommended (and usually blocked by either dropping the
capability or by having apparmor prevent it) to load modules from within
a container. Instead you should make sure all your kernel modules are
loaded from the host before you start your containers.
I suspect the difference between your server and your colleague's is
that he has some init scripts or something else calling iptables before
he starts his containers which will load any modules required by his
container.
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
--
John Baker
Network Administrator
Marlboro College
Phone: 451-7551 Cell: 490-0066
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
--
John Baker
Network Administrator
Marlboro College
Phone: 451-7551 Cell: 490-0066
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
