container iptables issue

seneca214

Active Member
Dec 3, 2012
26
3
43
We have a proxmox 2.3 server running CentOS 5.9 containers. We have the following modules loaded for all containers in our vz.conf file:

IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT xt_mac ipt_owner"

Modules listed from within container are:

# cat /proc/net/ip_tables_matches
connlimit
string
owner
mac
helper
conntrack
conntrack
conntrack
limit
recent
owner
state
length
ttl
tcpmss
tos
tos
dscp
multiport
multiport
icmp
udplite
udp
tcp

We're having issues specifically with this iptables rule (from /etc/sysconfig/iptables):

-A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP

Upon starting the iptables service we get this error:

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 16 failed
[FAILED]

Upon running the specific rule from the command-line:

# iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP
iptables: Unknown error 18446744073709551615

I believe I have all of the necessary iptables modules loaded (specifically the string module). Any ideas on what we're missing here? The iptables script and command above work fine on non-VZ containers.

Thanks
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!