We have a proxmox 2.3 server running CentOS 5.9 containers. We have the following modules loaded for all containers in our vz.conf file:
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT xt_mac ipt_owner"
Modules listed from within container are:
# cat /proc/net/ip_tables_matches
connlimit
string
owner
mac
helper
conntrack
conntrack
conntrack
limit
recent
owner
state
length
ttl
tcpmss
tos
tos
dscp
multiport
multiport
icmp
udplite
udp
tcp
We're having issues specifically with this iptables rule (from /etc/sysconfig/iptables):
-A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP
Upon starting the iptables service we get this error:
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 16 failed
[FAILED]
Upon running the specific rule from the command-line:
# iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP
iptables: Unknown error 18446744073709551615
I believe I have all of the necessary iptables modules loaded (specifically the string module). Any ideas on what we're missing here? The iptables script and command above work fine on non-VZ containers.
Thanks
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT xt_mac ipt_owner"
Modules listed from within container are:
# cat /proc/net/ip_tables_matches
connlimit
string
owner
mac
helper
conntrack
conntrack
conntrack
limit
recent
owner
state
length
ttl
tcpmss
tos
tos
dscp
multiport
multiport
icmp
udplite
udp
tcp
We're having issues specifically with this iptables rule (from /etc/sysconfig/iptables):
-A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP
Upon starting the iptables service we get this error:
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 16 failed
[FAILED]
Upon running the specific rule from the command-line:
# iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP
iptables: Unknown error 18446744073709551615
I believe I have all of the necessary iptables modules loaded (specifically the string module). Any ideas on what we're missing here? The iptables script and command above work fine on non-VZ containers.
Thanks