Re: [Users] problem with iptables inside VE

Tue, 13 May 2014 15:41:25 -0700 

Bonjour Sergey,


HOST: /etc/vz/vz.conf, could be your IPTABLES definition Wrong??

IPTABLES="ipt_state ipt_conntrack ipt_LOG ipt_REJECT ipt_tos ipt_limit
ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss
ipt_ttl ipt_length"


Quoting Sergey Ivanov <se...@cs.umd.edu>:


Hi,
I need help with openvz setup.
Here is the problem. In VE I have:
---
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j LOG --log-prefix "ipt.input: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j LOG --log-prefix "ipt.forward: " --log-level 7
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
---
and when I try to ssh to VE, I am failing and in dmesg I see lines about it
like these (I've modified MAC):
---
[ 9343.653892] ipt.input: IN=eth0 OUT=
MAC=00:de:ad:be:af:da:de:ad:be:af:de:ad:be:af SRC=10.0.128.117
DST=10.0.127.53 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1295 DF PROTO=TCP
SPT=48744 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
---
Immediately after "service iptables stop" I have working ssh service and
can login into VE remotely. I want to do this with iptables.

I use RHEL6 as a HE and tried Fedora-20 downloaded from
http://download.openvz.org/template/precreated/fedora-20-x86.tar.gz. I use
VLANs, trunk is going to physical interface em1, HE has ip address on vlan
128, there are em1.128 interface for it.
Virtual environment has netif, created by
---
vzctl set 12753 --save --netiff-add eth0,,veth12753,,br.127
---
I've set up bridge br.127 for this vlan and with automatically added by
ifcfg scripts em1.127, and
---
EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"
---
in vznet.conf are adding veth to it. I'm using vzkernel 2.6.32-042stab088.4

--
  Regards,
  Sergey Ivanov.


--
A bientôt
===========================================================
Jean-Marc Pigeon                        E-Mail: j...@safe.ca
SAFE Inc.                             Phone: (514) 493-4280
  Clement, 'a kiss solution' to get rid of SPAM (at last)
     Clement' Home base <"http://www.clement.safe.ca";>
===========================================================

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users

Reply via email to