OpenVZ

[diegoose]

Hi, can anybody help??

1. When following the guide to install shorewall on openVZ I
receive the following errors when starting shorewall nl:
wiki.vpslink.com/index.php?title=HOWTO:_Debian_Etch:_Install_Shorew all_firewall

Quote:

FATAL: Could not load /lib/modules/2.6.18-spry2ovz028stab053.5-smp/modules.dep: No such file or directory
ip6tables v1.3.6: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

2. I can not use the find option nl:

Quote:

#find / -name blah
find: WARNING: Hard link count is wrong for /proc/sys/net: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched.

3. I can not use mysql-admin nl:

Quote:

#mysql-admin -u root
(mysql-admin:22286): Gtk-WARNING **: cannot open display:

This is a clean installation of debian 4, is there any way of fixing these problems?

Thanks!

[exsecror]

OpenVZ has very very limited iptables support and no kernel module loading which is why you're running into problems with getting shorewall installed. The best you can do is some basic port filtering with hand written rules.

[DanL@VPSLink]

This issue was reported by jon@breakdesign.com in the iptables installation problem thread:

Quote:

Originally Posted by jon@breakdesign.com

funnily enough.....the only thing that needed doing was

setting :

DISABLE_IPV6=No

in /etc/shorewall/shorewall.conf

this is because in a perversely twisted form of logic the configuration file requires you to have IPV6 support to be able
to disable it. If you don't have it then it will error as it will
try to disable using ip6tables which we don't have the module for
...so setting it to no fixes any errors

I have updated our Debian / Ubuntu Shorewall Installation Guide to include this information.

[bfp]

Quote:

Originally Posted by exsecror

OpenVZ has very very limited iptables support and no kernel module loading which is why you're running into problems with getting shorewall installed. The best you can do is some basic port filtering with hand written rules.

Just try another firewall - eg APF http://rfxnetworks.com/apf.php works fine with OpenVZ, unless you have several thousand rules active . I gave up on shorewall.

[satimis]

Quote:

Originally Posted by bfp

Just try another firewall - eg APF Projects | R-fx Networks works fine with OpenVZ, unless you have several thousand rules active . I gave up on shorewall.

Hi bfp,

OpenVZ
guest (VE) - Ubuntu 8.04-i386-minimal

I tried without success installing Shorewall on the captioned VE.

Following link;
HOWTO: Debian Etch: Install Shorewall firewall - VPSLink Wiki

didn't help me.


I'm prepared installing APF to replace Shorewall. Please advise me following points;

1)
Advanced Policy Firewall;
Advanced Policy Firewall | R-fx Networks

Whether it is same as those packages on Ubuntu Repo;

# apt-cache search apf | grep apf

Code:

apf-client – Client for Active Port Forwarding
apf-server – Server for Active Port Forwarding
dphys-swapfile – Autogenerate and use a swap file
imapfilter – filter mail in your IMAP account
snmptrapfmt – A configurable snmp trap handler daemon for snmpd

???

If YES, please advise which of them shall I install?


2)
If NO, then I'll download "http://www.rfxn.com/downloads/apf-current.tar.gz" on the website.

3)
Where can I find relevant document re installation and configuration? Is it "http://www.rfxn.com/appdocs/README.apf"

Thanks in advance.

B.R.
satimis

[The Universes]

I was not able to get apf working on OpenVZ, due to the lack of certain iptables functionality I believe. If you do get it working somehow, do let us know.

APF firewall is the #2 item you have listed, apf-client/server is something else.

[satimis]

Hi folks,

According to;
http://www.rfxn.com/appdocs/README.apf

following modules must be compiled with the kernel for module support;

Code:

ip_tables
iptable_filter
iptable_mangle
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
ipt_state 
ipt_multiport
ipt_limit
ipt_recent
ipt_LOG
ipt_REJECT
ipt_ecn
ipt_length
ipt_mac
ipt_multiport
ipt_owner
ipt_state
ipt_ttl
ipt_TOS
ipt_TCPMSS
ipt_ULOG

However on the host running following command to check;

# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/

Code:

arptable_filter.ko  ipt_ECN.ko	       ipt_TTL.ko
arp_tables.ko	    ipt_iprange.ko     ipt_ULOG.ko
arpt_mangle.ko	    ipt_LOG.ko	       nf_conntrack_ipv4.ko
ip_queue.ko	    ipt_MASQUERADE.ko  nf_nat_amanda.ko
iptable_filter.ko   ipt_NETMAP.ko      nf_nat_ftp.ko
iptable_mangle.ko   ipt_owner.ko       nf_nat_h323.ko
iptable_nat.ko	    ipt_recent.ko      nf_nat_irc.ko
iptable_raw.ko	    ipt_REDIRECT.ko    nf_nat.ko
ip_tables.ko	    ipt_REJECT.ko      nf_nat_pptp.ko
ipt_addrtype.ko     ipt_SAME.ko        nf_nat_proto_gre.ko
ipt_ah.ko	    ipt_tos.ko	       nf_nat_sip.ko
ipt_CLUSTERIP.ko    ipt_TOS.ko	       nf_nat_snmp_basic.ko
ipt_ecn.ko	    ipt_ttl.ko	       nf_nat_tftp.ko

It was found that some of the required modules have NOT been compiled with OpenVZ kernel. I fail to see I can make APF work. I may be wrong. Please advise. TIA


B.R.
satimis

[DanL@VPSLink]

I checked the modules listed against our OpenVZ Installed Kernel Modules list - it appears as though the following modules (or equivalents) are not included by default for OpenVZ at VPSLink:

• ipt_recent
• ipt_ecn
• ipt_owner
• ipt_ULOG

Modules compiled into the kernel at the hardware node level are not visible within your VPS - APF should work as described in the APF Firewall (IPTables) Setup/Installation document on the VPSLink Wiki so long as SET_MONOKERN="1" is set in your APF configuration.