iptables contract module does not seem to be working

Support for security such as Firewalls and securing linux
Post Reply
krik
Posts: 3
Joined: 2016/06/20 14:00:40

iptables contract module does not seem to be working

Post by krik » 2016/06/20 14:09:07

HI,

I have a server running CentOS 6.6 with vzkernel-2.6.32-042stab116.1.x86_64. I'm trying to configure iptables rules with conntrack module, but all rules with conntrack features are never matched. Other iptables rules are working fine.

Here are my iptables rules, the first two INPUT rules are never matched, only the 3rd one and the default policy match...

Code: Select all

# Generated by iptables-save v1.4.7 on Mon Jun 20 16:05:29 2016
*mangle
:PREROUTING ACCEPT [4151254:444702687]
:INPUT ACCEPT [1040600:251465478]
:FORWARD ACCEPT [3818617:376773393]
:OUTPUT ACCEPT [971373:108608581]
:POSTROUTING ACCEPT [4789990:485381974]
COMMIT
# Completed on Mon Jun 20 16:05:29 2016
# Generated by iptables-save v1.4.7 on Mon Jun 20 16:05:29 2016
*filter
:INPUT ACCEPT [385:51370]
:FORWARD ACCEPT [2058:181165]
:OUTPUT ACCEPT [518:53961]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Mon Jun 20 16:05:29 2016
conntrack modules seem to be loaded:

Code: Select all

$ lsmod | grep conn
xt_conntrack            3960  2
nf_conntrack_ipv4       9586  4 nf_nat
nf_defrag_ipv4          1523  1 nf_conntrack_ipv4
nf_conntrack_ipv6       7993  2
nf_defrag_ipv6         26468  1 nf_conntrack_ipv6
nf_conntrack           80942  7 xt_conntrack,vzrst,nf_nat,nf_conntrack_ipv4,vzcpt,nf_conntrack_ipv6,xt_state
ipv6                  340741  133 vzrst,vzcpt,ip6table_mangle,bridge,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
Any idea what is missing?

Thanks,
C.

User avatar
TrevorH
Forum Moderator
Posts: 29112
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables contract module does not seem to be working

Post by TrevorH » 2016/06/20 15:01:50

You're not running CetnOS, you're running OpenVZ. They are different and the ability to load kernel modules is controlled from the host on openvz. You need to ask openvz/your hoster to enable it.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

krik
Posts: 3
Joined: 2016/06/20 14:00:40

Re: iptables contract module does not seem to be working

Post by krik » 2016/06/21 20:52:24

TrevorH wrote:You're not running CetnOS, you're running OpenVZ. They are different and the ability to load kernel modules is controlled from the host on openvz. You need to ask openvz/your hoster to enable it.
I'm not speaking about iptables inside a container but on the host itself...

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: iptables contract module does not seem to be working

Post by gerald_clark » 2016/06/21 21:29:54

It is still OpenVZ's network stack, not CentOS's.
For OpenVZ issues, goto https://openvz.org/Main_Page

krik
Posts: 3
Joined: 2016/06/20 14:00:40

Re: iptables contract module does not seem to be working

Post by krik » 2016/06/22 07:06:35

gerald_clark wrote:It is still OpenVZ's network stack, not CentOS's.
For OpenVZ issues, goto https://openvz.org/Main_Page
Indeed, I found a solution on openVZ forum. For those who might be interested : https://forum.openvz.org/index.php?t=msg&th=12619

Thanks,
C.

Post Reply

Return to “CentOS 6 - Security Support”