Results 1 to 8 of 8

Thread: OpenVZ

  1. #1
    Join Date
    Apr 2008
    Posts
    1

    Unhappy OpenVZ

    Hi, can anybody help??

    1. When following the guide to install shorewall on openVZ I
    receive the following errors when starting shorewall nl:
    wiki.vpslink.com/index.php?title=HOWTO:_Debian_Etch:_Install_Shorew all_firewall

    FATAL: Could not load /lib/modules/2.6.18-spry2ovz028stab053.5-smp/modules.dep: No such file or directory
    ip6tables v1.3.6: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
    2. I can not use the find option nl:

    #find / -name blah
    find: WARNING: Hard link count is wrong for /proc/sys/net: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched.
    3. I can not use mysql-admin nl:
    #mysql-admin -u root
    (mysql-admin:22286): Gtk-WARNING **: cannot open display:
    This is a clean installation of debian 4, is there any way of fixing these problems?

    Thanks!

  2. #2
    Join Date
    Apr 2008
    Posts
    5

    Default

    OpenVZ has very very limited iptables support and no kernel module loading which is why you're running into problems with getting shorewall installed. The best you can do is some basic port filtering with hand written rules.

  3. #3
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    This issue was reported by jon@breakdesign.com in the iptables installation problem thread:

    Quote Originally Posted by jon@breakdesign.com View Post
    funnily enough.....the only thing that needed doing was

    setting :

    DISABLE_IPV6=No

    in /etc/shorewall/shorewall.conf

    this is because in a perversely twisted form of logic the configuration file requires you to have IPV6 support to be able
    to disable it. If you don't have it then it will error as it will
    try to disable using ip6tables which we don't have the module for
    ...so setting it to no fixes any errors

    I have updated our Debian / Ubuntu Shorewall Installation Guide to include this information.

  4. #4
    Join Date
    May 2006
    Location
    GMT +10
    Posts
    375

    Default

    Quote Originally Posted by exsecror View Post
    OpenVZ has very very limited iptables support and no kernel module loading which is why you're running into problems with getting shorewall installed. The best you can do is some basic port filtering with hand written rules.
    Just try another firewall - eg APF http://rfxnetworks.com/apf.php works fine with OpenVZ, unless you have several thousand rules active . I gave up on shorewall.

  5. #5
    Join Date
    Mar 2007
    Posts
    5

    Default

    Quote Originally Posted by bfp View Post
    Just try another firewall - eg APF Projects | R-fx Networks works fine with OpenVZ, unless you have several thousand rules active . I gave up on shorewall.
    Hi bfp,

    OpenVZ
    guest (VE) - Ubuntu 8.04-i386-minimal

    I tried without success installing Shorewall on the captioned VE.

    Following link;
    HOWTO: Debian Etch: Install Shorewall firewall - VPSLink Wiki

    didn't help me.


    I'm prepared installing APF to replace Shorewall. Please advise me following points;

    1)
    Advanced Policy Firewall;
    Advanced Policy Firewall | R-fx Networks

    Whether it is same as those packages on Ubuntu Repo;

    # apt-cache search apf | grep apf
    Code:
    apf-client  Client for Active Port Forwarding
    apf-server  Server for Active Port Forwarding
    dphys-swapfile  Autogenerate and use a swap file
    imapfilter  filter mail in your IMAP account
    snmptrapfmt  A configurable snmp trap handler daemon for snmpd
    ???

    If YES, please advise which of them shall I install?


    2)
    If NO, then I'll download "http://www.rfxn.com/downloads/apf-current.tar.gz" on the website.

    3)
    Where can I find relevant document re installation and configuration? Is it "http://www.rfxn.com/appdocs/README.apf"

    Thanks in advance.

    B.R.
    satimis

  6. #6
    Join Date
    Jun 2008
    Location
    California
    Posts
    338

    Default

    I was not able to get apf working on OpenVZ, due to the lack of certain iptables functionality I believe. If you do get it working somehow, do let us know.

    APF firewall is the #2 item you have listed, apf-client/server is something else.
    Note: my views are my own and do not reflect those of VPSLink

  7. #7
    Join Date
    Mar 2007
    Posts
    5

    Default Some modules NOT compiled with OpenVZ kernel

    Hi folks,

    According to;
    http://www.rfxn.com/appdocs/README.apf

    following modules must be compiled with the kernel for module support;
    Code:
    ip_tables
    iptable_filter
    iptable_mangle
    ip_conntrack
    ip_conntrack_irc
    ip_conntrack_ftp
    ipt_state 
    ipt_multiport
    ipt_limit
    ipt_recent
    ipt_LOG
    ipt_REJECT
    ipt_ecn
    ipt_length
    ipt_mac
    ipt_multiport
    ipt_owner
    ipt_state
    ipt_ttl
    ipt_TOS
    ipt_TCPMSS
    ipt_ULOG

    However on the host running following command to check;

    # ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/
    Code:
    arptable_filter.ko  ipt_ECN.ko	       ipt_TTL.ko
    arp_tables.ko	    ipt_iprange.ko     ipt_ULOG.ko
    arpt_mangle.ko	    ipt_LOG.ko	       nf_conntrack_ipv4.ko
    ip_queue.ko	    ipt_MASQUERADE.ko  nf_nat_amanda.ko
    iptable_filter.ko   ipt_NETMAP.ko      nf_nat_ftp.ko
    iptable_mangle.ko   ipt_owner.ko       nf_nat_h323.ko
    iptable_nat.ko	    ipt_recent.ko      nf_nat_irc.ko
    iptable_raw.ko	    ipt_REDIRECT.ko    nf_nat.ko
    ip_tables.ko	    ipt_REJECT.ko      nf_nat_pptp.ko
    ipt_addrtype.ko     ipt_SAME.ko        nf_nat_proto_gre.ko
    ipt_ah.ko	    ipt_tos.ko	       nf_nat_sip.ko
    ipt_CLUSTERIP.ko    ipt_TOS.ko	       nf_nat_snmp_basic.ko
    ipt_ecn.ko	    ipt_ttl.ko	       nf_nat_tftp.ko
    It was found that some of the required modules have NOT been compiled with OpenVZ kernel. I fail to see I can make APF work. I may be wrong. Please advise. TIA


    B.R.
    satimis

  8. #8
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    I checked the modules listed against our OpenVZ Installed Kernel Modules list - it appears as though the following modules (or equivalents) are not included by default for OpenVZ at VPSLink:

    • ipt_recent
    • ipt_ecn
    • ipt_owner
    • ipt_ULOG


    Modules compiled into the kernel at the hardware node level are not visible within your VPS - APF should work as described in the APF Firewall (IPTables) Setup/Installation document on the VPSLink Wiki so long as SET_MONOKERN="1" is set in your APF configuration.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •