Results 1 to 4 of 4
  1. #1
    Join Date
    Jul 2012
    Posts
    731

    Understanding OpenVZ iptables Modules

    One of my VPS providers has a custom control panel for my VPS. It includes a button labeled "IPTABLES" with two options: Enable/Disable.

    I am running Debian 6 on that VPS, and I enable iptables by creating a script in /etc/network/if-pre-up.d/iptables:
    #!/bin/bash
    /sbin/iptables-restore < /etc/iptables.up.rules

    The iptables rules are stored in /etc/iptables.up.rules, obviously.

    Everything above works without issues, independent of whether the control panel IPTABLES button is Enabled or Disabled.

    So, I am confused about the IPTABLES button - apparently it Enables or Disables iptables "modules" for OpenVZ. According to the VPS provider, I need them if I want to use CSF. They explained that the IPTABLES button enables the following modules:

    IPTABLES=”ipt_REJECT ipt_recent ipt_owner ipt_REDIRECT ipt_tos ipt_TOS ipt_LOG ip_conntrack
    ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

    I searched on the web, but cannot find any useful information from a VPS customer perspective. Here are my questions:

    1. What do the OpenVZ iptables modules actually DO, from a VPS customer perspective? (Can you provide a descriptive link about the modules, or how they hook into my VPS, or files affected, or something like that?)

    2. I have installed CSF on other VPSs (typically SolusVM) that do not have an IPTABLES (Enable/Disable) button. Do the providers leave the iptables modules enabled full time?

    3. What harm is there if I leave the IPTABLES button enabled in this new VPS?

    4. What happens if I am using CSF or another firewall that sits above iptables, and I set the IPTABLES button to "disabled"?

    Thanks for any clarification you can provide!

  2. #2
    Join Date
    May 2013
    Location
    India
    Posts
    748
    Some of the mentioned list of iptables modules are needed to run for CSF. By default openvz containers are loaded with limited iptables modules, that we have seen. The listed ones are the kernel modules required to support many iptables features / tables. With SolusVM, I believe their default OpenVZ container conf is loaded with all necessary iptables modules. Below is an example error, which shows what happen when necessary iptables modules are not loaded to a test OpenVZ container.

    Error: iptables command [/sbin/iptables -v -A LOGDROPIN -p tcp -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '] failed, you appear to be missing a required iptables module, at line 614
    Still it is happy to run with filter table and its chains ( that is why your current iptables rules are working fine; basic modules are available on the container ).

    There is no real harm if you enable them on your container. I believe your provider give such an option in their panel due to reduce their technical efforts and customer satisfaction. But don't load them unless you need it ( like to run CSF ). Keeping limited kernel module will help you to minimize the memory foot print for kernel.
    Last edited by nixtree; 10-15-2013 at 04:07 PM.

  3. #3
    Join Date
    Jul 2012
    Posts
    731
    Thanks for the helpful input.

    Let me try to repeat what I understand, to see if I am right:

    OpenVZ containers still rely on a specialized kernel that is shared in some respects with the other containers on the node. That includes networking and the iptables firewall. Certain features of the iptables firewall are enabled or disabled at the node level for each container, through OpenVZ iptables modules. Is that right?

    Can you suggest some links that describe the iptables modules in more detail?

    It would be especially helpful if they describe the iptables modules from a VPS customer's point of view.

  4. #4
    Join Date
    May 2013
    Location
    India
    Posts
    748
    Sorry, I couldn't find any good article that explains the answer for your question; perhaps you can try your luck in google. And yes, the iptables modules loaded to each container is managed from node using IPTABLES directive in the container conf. No kernel management ( lie new module loading ) can be controller from a container as the kernel is shared ( so it is called OS level virtualization ). In my point of view, you don't have to bother about it much. As you said you have it enabled on your SolusVM containers by default; here you have to do it manually. That is the only difference Still knowing more about your boxes are good as you can administer them in a better way.

Similar Threads

  1. Missing iptables modules at OpenVZ vps - question
    By Spirit in forum VPS Hosting
    Replies: 5
    Last Post: 12-11-2011, 10:01 PM
  2. Enabling iptables modules
    By ramsh in forum Hosting Security and Technology Tutorials
    Replies: 6
    Last Post: 12-09-2011, 11:21 AM
  3. Who can help me for install modules of iptables
    By dlthhost in forum Dedicated Server
    Replies: 0
    Last Post: 03-06-2008, 08:44 AM
  4. help understanding the iptables configure file on redhat 9
    By scott79 in forum Hosting Security and Technology
    Replies: 0
    Last Post: 03-11-2004, 12:06 AM
  5. apf, iptables modules
    By j2O in forum Hosting Security and Technology
    Replies: 6
    Last Post: 01-26-2004, 10:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •