10.6. Managing iptables Modules¶
This section describes how to manage
iptables modules for both physical servers and containers.
10.6.1. Using iptables Modules in Virtuozzo Hybrid Server¶
Filtering network packets on hardware nodes running Virtuozzo Hybrid Server does not differ from doing so on a typical Linux server. You can use the standard
iptables tool to control how network packets enter, move through, and exit the network stack within the Virtuozzo Hybrid Server kernel.
Connection tracking on the hardware node is disabled by default. Setting
iptables rules that require
conntrack functionality enables tracking of new connections and makes the node vulnerable to DoS attacks, since the number of
conntrack slots is limited. However, setting such rules for particular virtual machines and containers (e.g., for NAT) leaves other containers, virtual machines and the hardware node reachable in case of a DoS attack.
conntrack is enabled for a container, it cannot be disabled until the restart of the hardware node or the container.
To detect active connections tracked on the hardware node, check if the
/proc/net/nf_conntrack file contains any entries:
# cat /proc/net/nf_conntrack
For your reference, below are several resources you can consult to get detailed information on using
iptables on Linux servers:
10.6.2. Using iptables Modules in Containers¶
iptables modules in containers requires additional configuration on your part.
10.6.2.1. Configuring iptables Modules¶
To set the state of
iptables modules for backup/restore or live migration, use the
prlctl set --netfilter command. If some of the
iptables modules allowed for a container are not loaded on the hardware node where that container has been restored or migrated, they will be automatically loaded when that container starts. For example, the command
# prlctl set MyCT --netfilter stateful
will make sure that all modules except NAT-related will be allowed and loaded for the container
MyCT (if required) on a hardware node where it has been restored or migrated.
The default setting is
full, which allows all modules.
10.6.2.2. Using conntrack Rules and NAT Tables¶
To limit the maximum number of
conntrack slots available for each container on the hardware node, set the
net.netfilter.nf_conntrack_max variable. For example:
# sysctl -w net.netfilter.nf_conntrack_max=50000
The value of
net.netfilter.nf_conntrack_max cannot exceed the value of
Even if a container is under a DoS attack and all its
conntrack slots are in use, other containers will not be affected, still being able to create as many connections as set in