User`s guide

ManualsBrandsVirtuozzo ManualsComputer equipmentSWsoft OpenVZ

Advanced Tasks 70

Loading iptables Modules to Hardware Node

To have certain iptables modules loaded on the Hardware Node startup, you should provide

their names as the value of the

IPTABLES_MODULES parameter in the

/etc/sysconfig/iptables-config file. The default value of this parameter is the

following:

IPTABLES_MODULES="ip_tables ipt_REJECT ipt_tos ipt_limit ipt_multiport

iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss

ipt_ttl ipt_length"

You may modify this value to add any of the following modules:

ip_conntrack

ip_conntrack_ftp

ip_conntrack_irc

ipt_LOG

ipt_conntrack

ipt_helper

ipt_state

iptable_nat

ip_nat_ftp

ip_nat_irc

ipt_TOS

All the modules indicated as the value of this parameter will be loaded on the Node startup after

you reboot the Hardware Node. However, if you want this set of modules to be loaded by

default to the VPSs hosted on this Node or you wish to restrict loading any of these modules to

all or particular VPSs, you should perform some additional steps.

Loading iptables Modules to Particular VPSs

What iptables modules are loaded by default inside the VPSs hosted on the given Node is

determined by the value of the

IPTABLES parameter in the /etc/sysconfig/vz file.

Naturally, those modules that constitute the value of this parameter will be loaded to VPSs only

in case they are also

loaded on the Hardware Node itself (see page 70). This parameter can also

be redefined both in VPS sample configuration files (

/etc/sysconfig/vz-

scripts/ve-

sample_name.conf-sample) and in the configuration files of particular

VPSs (

/etc/sysconfig/vz-scripts/vps_id.conf).

In order to load extra

iptables modules or not to load certain default modules inside

particular VPSs, you should explicitly indicate what modules you wish to be loaded to these

VPSs either by modifying the

IPTABLES parameter in the respective VPS configuration files

or by using the

vzctl command. For example:

# vzctl set 101 --iptables iptable_filter --iptables ipt_length --

iptables ipt_limit --iptables iptable_mangle --iptables ipt_REJECT --

save

This command will tell OpenVZ to load only the following modules to VPS 101:

iptable_filter, ipt_length, ipt_limit, iptable_mangle, ipt_REJECT. This

information will also be saved in the VPS configuration file thanks to the

--save option.

Loading a new set of

iptables modules does not happen on the fly. You should restart the

VPS for the changes to take effect.