Dear Nikolay, you are right!
I just saw in /etc/vz/vz.conf the lines:
---
## WARNING: IPTABLES parameter is deprecated,
## use per-сontainer (not global!) NETFILTER instead
## iptables kernel modules to be loaded by init.d/vz script
IPTABLES_MODULES=ipt_REJECT ipt_tos ipt_limit ipt_multiport
iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length
ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT
---
vzctl --help does not say anything about netfilter, but man vzctl have:
---
Netfilter (iptables) control parameters
--netfilter disabled|stateless|stateful|full
Restrict access to netfilter/iptables modules for a container.
This option replaces obsoleted --iptables.
The following arguments can be used:
· disabled -- no iptables allowed
· stateless -- everything but conntracks and NAT is allowed
(i.e. filter and mangle)
· stateful -- everything but NAT is allowed
· full -- all netfilter functionality
---
When I checked and ensured /etc/vz/conf/12753.conf have NETFILTER line
and does not have IPABLES line, all started working as expected.
I guess this problem is caused by some change in the interface between
netfilter kernel modules and iptables binary in Fedora-20, so that
guest tries to manage vzkernel in incompatible with it manner in case
of NETFILER is not defined properly.
--
Regards,
Sergey Ivanov.
On Wed, May 14, 2014 at 12:32 AM, knawnd kna...@gmail.com wrote:
Hello, Sergey!
Another assumption: if you use vzctl-4.7.x and have NETFILTER [1]
parameter set to stateless in container's config file then try to change
it to full.
Best regards,
Nikolay.
[1]
https://github.com/kolyshkin/vzctl/commit/9b8afa654945acc6d3bd782f622aaf9c54e4e87b
On 05/14/14 02:28, Jean-Marc Pigeon wrote:
Bonjour Sergey,
HOST: /etc/vz/vz.conf, could be your IPTABLES definition Wrong??
IPTABLES=ipt_state ipt_conntrack ipt_LOG ipt_REJECT ipt_tos ipt_limit
ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl
ipt_length
Quoting Sergey Ivanov se...@cs.umd.edu se...@cs.umd.edu:
Hi,
I need help with openvz setup.
Here is the problem. In VE I have:
---
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j LOG --log-prefix ipt.input: --log-level 7
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j LOG --log-prefix ipt.forward: --log-level 7
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
---
and when I try to ssh to VE, I am failing and in dmesg I see lines about
it
like these (I've modified MAC):
---
[ 9343.653892] ipt.input: IN=eth0 OUT=
MAC=00:de:ad:be:af:da:de:ad:be:af:de:ad:be:af SRC=10.0.128.117
DST=10.0.127.53 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1295 DF PROTO=TCP
SPT=48744 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
---
Immediately after service iptables stop I have working ssh service and
can login into VE remotely. I want to do this with iptables.
I use RHEL6 as a HE and tried Fedora-20 downloaded from
http://download.openvz.org/template/precreated/fedora-20-x86.tar.gz. I
use
VLANs, trunk is going to physical interface em1, HE has ip address on vlan
128, there are em1.128 interface for it.
Virtual environment has netif, created by
---
vzctl set 12753 --save --netiff-add eth0,,veth12753,,br.127
---
I've set up bridge br.127 for this vlan and with automatically added by
ifcfg scripts em1.127, and
---
EXTERNAL_SCRIPT=/usr/sbin/vznetaddbr
---
in vznet.conf are adding veth to it. I'm using vzkernel
2.6.32-042stab088.4
--
Regards,
Sergey Ivanov.
___
Users mailing
listUsers@openvz.orghttps://lists.openvz.org/mailman/listinfo/users
___
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
___
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
