Using iptables Modules in Virtuozzo

Filtering network packets on Hardware Nodes running Virtuozzo does not differ from doing so on a standalone Linux server. You can use the standard iptables tool to control how network packets enter, move through, and exit the network stack within the Virtuozzo kernel.

For your reference, below are several resources you can consult to get detailed information on using iptables on Linux servers:

Red Hat Enterprise Linux 6 Security Guide (http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html) contains a section focusing on packet filtering basics and explaining various options available for iptables.
iptables Tutorial 1.2.2 (http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html) explains in great detail how iptables is structured and how it works.

Defining the Basic Set of iptables Modules for Virtuozzo

All iptables modules you plan to use must first be loaded on the Hardware Node. To do this:

Specify the desired modules in the IPTABLES_MODULES parameter in the /etc/sysconfig/iptables-config file. For example:
IPTABLES_MODULES="ipt_REJECT iptable_filter iptable_mangle xt_length xt_hl xt_tcpmss xt_TCPMSS xt_multiport xt_limit xt_dscp"
Restart the iptables service for the changes to the /etc/sysconfig/iptables-config file to come into effect:
# service iptables restart

Using conntrack Rules on Virtuozzo Hardware Nodes

By default, conntrack rules are disabled on the Hardware Node to save resources and increase performance when connection tracking is not needed. To enable connection tracking in Virtuozzo, do the following:

Make sure that the following modules are added to the IPTABLES_MODULES variable in the /etc/sysconfig/iptables-config configuration file:

ip_conntrack
ip_conntrack_ftp
ip_conntrack_irc
ip_conntrack_netbios_ns
ip_nat_ftp
ip_nat_irc
ipt_comment
ipt_conntrack
ipt_helper

ipt_length
ipt_limit
ipt_LOG
ipt_multiport
ipt_REDIRECT
ipt_REJECT
ipt_state
ipt_tcp
ipt_TCPMSS

ipt_tcpmss
ipt_tos
ipt_TOS
ipt_ttl
iptable_filter
iptable_mangle
iptable_nat

To load the modules on Virtuozzo, add them to the IPTABLES_MODULES variable in the /etc/sysconfig/iptables-config configuration file and restart the iptables service.

Set the ip_conntrack_disable_ve0 parameter to 0 in the /etc/modprobe.d/parallels.conf file.
Restart the iptables service to apply changes:
# service iptables restart
If required, you can check that the conntrack module is enabled with these commands:
# cat /proc/net/ip_tables_names

nat

# iptables –t nat -L

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Limiting the Maximum conntrack Slots for Virtuozzo

To limit the maximum number of conntrack slots allowed on the Hardware Node, set the net.nf_conntrack_max variable. For example:

# sysctl -w net.nf_conntrack_max=500000

The value of net.nf_conntrack_max also restricts the value of net.netfilter.nf_conntrack_max which limits the maximum conntrack slots for each Container on the Hardware Node.

Top of page