10.12. Managing iptables Modules¶
This section describes how to manage iptables modules for both physical servers and containers.
10.12.1. Using iptables Modules in Virtuozzo Hybrid Server¶
Filtering network packets on hardware nodes running Virtuozzo Hybrid Server does not differ from doing so on a typical Linux server. You can use the standard iptables tool to control how network packets enter, move through, and exit the network stack within the Virtuozzo Hybrid Server kernel.
Connection tracking on the hardware node is disabled by default. Setting iptables rules that require conntrack functionality enables tracking of new connections and makes the node vulnerable to DoS attacks, since the number of conntrack slots is limited. However, setting such rules for particular virtual machines and containers (e.g., for NAT) leaves other containers, virtual machines and the hardware node reachable in case of a DoS attack.
Note
Once conntrack is enabled for a container, it cannot be disabled until the restart of the hardware node or the container.
To detect active connections tracked on the hardware node, check if the /proc/net/nf_conntrack file contains any entries:
# cat /proc/net/nf_conntrack
For your reference, below are several resources you can consult to get detailed information on using iptables on Linux servers:
Red Hat Enterprise Linux 7 Security Guide contains a section focusing on packet filtering basics and explaining various options available for
iptables.iptables Tutorial 1.2.2 explains in great detail how
iptablesis structured and works.
10.12.2. Using iptables Modules in Containers¶
Using iptables modules in containers requires additional configuration on your part.
10.12.2.1. Configuring iptables Modules¶
To set the state of iptables modules for backup/restore or live migration, use the prlctl set --netfilter command. If some of the iptables modules allowed for a container are not loaded on the hardware node where that container has been restored or migrated, they will be automatically loaded when that container starts. For example, the command
# prlctl set MyCT --netfilter stateful
will make sure that all modules except NAT-related will be allowed and loaded for the container MyCT (if required) on a hardware node where it has been restored or migrated.
Note
The default setting is full, which allows all modules.
10.12.2.2. Using conntrack Rules and NAT Tables¶
To limit the maximum number of conntrack slots available for each container on the hardware node, set the net.netfilter.nf_conntrack_max variable. For example:
# sysctl -w net.netfilter.nf_conntrack_max=50000
The value of net.netfilter.nf_conntrack_max cannot exceed the value of net.nf_conntrack_max.
Even if a container is under a DoS attack and all its conntrack slots are in use, other containers will not be affected and will still be able to create as many connections as set in net.netfilter.nf_conntrack_max.