OpenVZ and firehol kernel issues

J

josecarlos

Guest
Hello proxmox community:
Im having troubles with my openvz VM's i have tried the 32 and 64 bits templates of debian lenny and squeeze and is all the same in each one of them.

Here is the deal, when i install the firehol firewall builder and start it gives me this bunch of errors:

#firehol start

WARNING
File '/etc/firehol/RESERVED_IPS' is more than 90 days old.
You should update it to ensure proper operation of your firewall.

Run the supplied get-iana.sh script to generate this file.


IMPORTANT WARNING:
------------------
FireHOL cannot find your current kernel configuration.
Please, either compile your kernel with /proc/config,
or make sure there is a valid kernel config in:
/usr/src/linux/.config

Because of this, FireHOL will simply attempt to load
all kernel modules for the services used, without
being able to detect failures.

FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
FireHOL: Activating new firewall (41 rules):

--------------------------------------------------------------------------------
WARNING : This might or might not affect the operation of your firewall.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/modprobe ip_conntrack -q
OUTPUT :

FATAL: Could not load /lib/modules/2.6.32-4-pve/modules.dep: No such file or directory



--------------------------------------------------------------------------------
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_world_all_c1 -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 2.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_world_all_c1 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 3.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_world_irc_c2 -p tcp --sport 32768:61000 --dport 6667 -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 4.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_world_irc_c2 -p tcp --sport 6667 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 5.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_world_ftp_c3 -p tcp --sport 32768:61000 --dport ftp -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 6.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_world_ftp_c3 -p tcp --sport ftp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 7.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_world_ftp_c3 -p tcp --sport ftp-data --dport 32768:61000 -m state --state ESTABLISHED\,RELATED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 8.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_world_ftp_c3 -p tcp --sport 32768:61000 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 9.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_world_ftp_c3 -p tcp --sport 32768:61000 --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 10.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_world_ftp_c3 -p tcp --sport 1024:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 11.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_world -m state --state RELATED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 12.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_world -m state --state RELATED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 13.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_world -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=\'\'IN-world\':\'
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 14.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_world -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=\'\'OUT-world\':\'
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 15.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 16.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 17.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 18.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=\'IN-unknown:\'
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
ERROR : # 19.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=\'OUT-unknown:\'
OUTPUT :

iptables: No chain/target/match by that name.

--------------------------------------------------------------------------------
ERROR : # 20.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=\'PASS-unknown:\'
OUTPUT :

iptables: No chain/target/match by that name.



--------------------------------------------------------------------------------
WARNING : This might or might not affect the operation of your firewall.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/modprobe ip_conntrack_irc -q
OUTPUT :

FATAL: Could not load /lib/modules/2.6.32-4-pve/modules.dep: No such file or directory

FAILED


FireHOL: Restoring old firewall: OK

Can any of you give me a tip on this
Thanks in advance and sorry about my english
 
in my case is not an option the pc im actually running proxmox dosn't support KVM because of the cpu lack of support for virtualization. So there is no other oprion than that.

Im thinking in putting the firewall in the proxmox host
 
Solved adding this to /etc/vz/vz.conf

IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT xt_mac ipt_owner"
 
jose carlos please explain what you did I'm completely in the same situation

josecarlos said:
Solved adding this to /etc/vz/vz.conf

IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT xt_mac ipt_owner"
Click to expand...
 
Is self explained put this IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT xt_mac ipt_owner"

in /etc/vz/vz.conf
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back