First of all you should define which iptables modules are available for VPSes.
Edit /etc/sysconfig/iptables-config and /etc/sysconfig/vz on the hardware node, abd add the modules you need into IPTABLES_MODULES= and IPTABLES= lines correspondingly.
For example, a typical firewall configuration requires the following modules:
ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_conntrack
The changes will be applied after you restart the vz on the hardware node.
You can also define a list of iptables modules for each VPS using --iptables option of the vzctl utility thusly:
vzctl set 101 --iptables iptable_filter --iptables ipt_length --iptables ipt_limit --iptables iptable_mangle --iptables ipt_REDIRECT --iptables ipt_REJECT --iptables iptable_nat --iptables ipt_state --iptables ip_conntrack --save
You will probably also need to increase the barrier of the numiptent parameter in /proc/user_beancounters using the vzctl utility. This parameter limits the amount of iptables rules which VPS owners are allowed to create.
If you wish to run APF inside of a VPS, be sure that APF is configured with MONOKERN=1.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment