10.6. Managing iptables Modules

This section describes how to manage iptables modules for both physical servers and containers.

10.6.1. Using iptables Modules in Virtuozzo

Filtering network packets on hardware nodes running Virtuozzo does not differ from doing so on a typical Linux server. You can use the standard iptables tool to control how network packets enter, move through, and exit the network stack within the Virtuozzo kernel.

Connection tracking on the hardware node is disabled by default. Setting iptables rules that require conntrack functionality enables tracking of new connections and makes the node vulnerable to DoS attacks, since the number of conntrack slots is limited. However, setting such rules for particular virtual machines and containers (e.g., for NAT) leaves other containers, virtual machines and the hardware node reachable in case of a DoS attack.

Note

Once conntrack is enabled for a container, it cannot be disabled until the restart of the hardware node or said container.

To detect active connections tracked on the hardware node, check if the /proc/net/nf_conntrack file contains any entries:

# cat /proc/net/nf_conntrack

For your reference, below are several resources you can consult to get detailed information on using iptables on Linux servers:

10.6.2. Using iptables Modules in Containers

Using iptables modules in containers requires additional configuration on your part.

10.6.2.1. Configuring iptables Modules

To set the state of iptables modules for backup/restore or live migration, use the prlctl set --netfilter command. If some of the iptables modules allowed for a container are not loaded on the hardware node where that container has been restored or migrated, they will be automatically loaded when that container starts. For example, the command

# prlctl set MyCT --netfilter stateful

will make sure that all modules except NAT-related will be allowed and loaded for the container MyCT (if required) on a hardware node where it has been restored or migrated.

Note

The default setting is full, which allows all modules.

10.6.2.2. Using conntrack Rules and NAT Tables

To limit the maximum number of conntrack slots available for each container on the hardware node, set the net.netfilter.nf_conntrack_max variable. For example:

# sysctl -w net.netfilter.nf_conntrack_max=50000

The value of net.netfilter.nf_conntrack_max cannot exceed the value of net.nf_conntrack_max.

Note

Even if a container is under a DoS attack and all its conntrack slots are in use, other containers will not be affected, still being able to create as many connections as set in net.netfilter.nf_conntrack_max.