Using iptables Modules in Containers
Using iptables modules in Containers requires additional configuration on your part.
Configuring iptables Modules
To set the state of iptables modules for backup/restore or live migration, use the vzctl --netfilter command. If some of the iptables modules allowed for a Container are not loaded on the Hardware Node where that Container has been restored or migrated, they will be automatically loaded when that Container starts. For example, the command
# vzctl set 101 --netfilter stateful --save
will make sure that all modules except NAT-related will be allowed and loaded for Container 101 (if required) on a Hardware Node where it has been restored or migrated.
Notes:
1. The default setting is stateless , which allows all modules except conntrack and NAT-related. For more information, see the Virtuozzo 6 Command Line Reference Guide.
2. To run Docker inside a Virtuozzo Container, allow all iptables modules for that Container with the --netfilter full command. For details on configuring Docker in Virtuozzo, see Creating and Configuring Docker-enabled Containers.
Using conntrack Rules and NAT Tables
By default, the NAT table and conntrack rules are disabled and not allowed for use in Containers even if they are loaded on the server. To allow their use in Containers, run the vzctl set --netfilter full command. For example, for Container 101:
# vzctl set 101 --netfilter full --save
To limit the maximum number of conntrack slots available for each Container on the Hardware Node, set the net.netfilter.nf_conntrack_max variable. For example:
# sysctl -w net.netfilter.nf_conntrack_max=50000
The value of net.netfilter.nf_conntrack_max cannot exceed the value of net.nf_conntrack_max (see Using iptables Modules in Virtuozzo).
Note: Even if a Container is under a DDoS attack and all its conntrack slots are in use, other Containers will not be affected, still being able to create as many connections as set in net.netfilter.nf_conntrack_max .
|