One of my VPS providers has a custom control panel for my VPS. It includes a button labeled "IPTABLES" with two options: Enable/Disable.
I am running Debian 6 on that VPS, and I enable iptables by creating a script in /etc/network/if-pre-up.d/iptables:
/sbin/iptables-restore < /etc/iptables.up.rules
The iptables rules are stored in /etc/iptables.up.rules, obviously.
Everything above works without issues, independent of whether the control panel IPTABLES button is Enabled or Disabled.
So, I am confused about the IPTABLES button - apparently it Enables or Disables iptables "modules" for OpenVZ. According to the VPS provider, I need them if I want to use CSF. They explained that the IPTABLES button enables the following modules:
I searched on the web, but cannot find any useful information from a VPS customer perspective. Here are my questions:
1. What do the OpenVZ iptables modules actually DO, from a VPS customer perspective? (Can you provide a descriptive link about the modules, or how they hook into my VPS, or files affected, or something like that?)
2. I have installed CSF on other VPSs (typically SolusVM) that do not have an IPTABLES (Enable/Disable) button. Do the providers leave the iptables modules enabled full time?
3. What harm is there if I leave the IPTABLES button enabled in this new VPS?
4. What happens if I am using CSF or another firewall that sits above iptables, and I set the IPTABLES button to "disabled"?
Some of the mentioned list of iptables modules are needed to run for CSF. By default openvz containers are loaded with limited iptables modules, that we have seen. The listed ones are the kernel modules required to support many iptables features / tables. With SolusVM, I believe their default OpenVZ container conf is loaded with all necessary iptables modules. Below is an example error, which shows what happen when necessary iptables modules are not loaded to a test OpenVZ container.
Error: iptables command [/sbin/iptables -v -A LOGDROPIN -p tcp -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '] failed, you appear to be missing a required iptables module, at line 614
Still it is happy to run with filter table and its chains ( that is why your current iptables rules are working fine; basic modules are available on the container ).
There is no real harm if you enable them on your container. I believe your provider give such an option in their panel due to reduce their technical efforts and customer satisfaction. But don't load them unless you need it ( like to run CSF ). Keeping limited kernel module will help you to minimize the memory foot print for kernel.
Let me try to repeat what I understand, to see if I am right:
OpenVZ containers still rely on a specialized kernel that is shared in some respects with the other containers on the node. That includes networking and the iptables firewall. Certain features of the iptables firewall are enabled or disabled at the node level for each container, through OpenVZ iptables modules. Is that right?
Can you suggest some links that describe the iptables modules in more detail?
It would be especially helpful if they describe the iptables modules from a VPS customer's point of view.
Sorry, I couldn't find any good article that explains the answer for your question; perhaps you can try your luck in google. And yes, the iptables modules loaded to each container is managed from node using IPTABLES directive in the container conf. No kernel management ( lie new module loading ) can be controller from a container as the kernel is shared ( so it is called OS level virtualization ). In my point of view, you don't have to bother about it much. As you said you have it enabled on your SolusVM containers by default; here you have to do it manually. That is the only difference Still knowing more about your boxes are good as you can administer them in a better way.