thr3ads.net - Shorewall users - Re: OpenVZ + Shorewall [Aug 2007]

If this information is useful, please help other people find it:
Share via:

Rodrigo Sampaio Primo

2007-Aug-30 15:32 UTC

Re: OpenVZ + Shorewall

Hi there,

I have a VM under a OpenVZ system. I would like to configure a firewall to
that VM using Shorewall, but after following the steps on one particularly
howto of the official website (don''t remember now which one) I
can''t get rid
of the following error:

   ERROR: Command "/sbin/iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name

I''m trying to run shorewall with the "shorewall safe-start"
command.
Researching the web I found that this errors may be related to the lack of
ipt_state module, but the kernel has this module enabled.

In attachment I''m sending the full out put of shorewall -vv safe-start
and
also the output of /sbin/shorewall trace start 2> /tmp/trace

Thanks, Rodrigo.




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep

2007-Sep-01 03:39 UTC

head link

Re: OpenVZ + Shorewall

Rodrigo Sampaio Primo wrote:> Hi there,
> 
> I have a VM under a OpenVZ system. I would like to configure a firewall
> to that VM using Shorewall, but after following the steps on one
> particularly howto of the official website (don''t remember now
which
> one) I can''t get rid of the following error:
> 
>    ERROR: Command "/sbin/iptables -A FORWARD -m state --state
> ESTABLISHED,RELATED -j ACCEPT" Failed
> iptables: No chain/target/match by that name
Rodrigo,

Please type that iptables command (or copy paste it) at a root shell
prompt. I''m sure that you will find that it fails.

Until that command can complete without error, no stateful
iptables-based firewall will be able to run in your VM.

I suspect that uou will be better off looking for help on OpenVZ
lists/channels rather than here on the Shorewall list.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep

2007-Sep-01 20:07 UTC

head link

Re: OpenVZ + Shorewall

Tom Eastep wrote:> Rodrigo Sampaio Primo wrote:
>> Hi there,
>>
>> I have a VM under a OpenVZ system. I would like to configure a firewall
>> to that VM using Shorewall, but after following the steps on one
>> particularly howto of the official website (don''t remember now
which
>> one) I can''t get rid of the following error:
>>
>>    ERROR: Command "/sbin/iptables -A FORWARD -m state --state
>> ESTABLISHED,RELATED -j ACCEPT" Failed
>> iptables: No chain/target/match by that name
> 
> Rodrigo,
> 
> Please type that iptables command (or copy paste it) at a root shell
> prompt. I''m sure that you will find that it fails.
> 
> Until that command can complete without error, no stateful
> iptables-based firewall will be able to run in your VM.
> 
> I suspect that uou will be better off looking for help on OpenVZ
> lists/channels rather than here on the Shorewall list.
One thought: I see that OpenVZ now has a 2.6.20 kernel. If you are using
that kernel, you should be aware that the names of many of the netfilter
modules changed in that release. Hopefully the OpenVZ project has issued
new instructions for setting the IPTABLES_MODULES option when that
kernel is being used.

I''ve attached a file that contains the names of many (but not all) of
the 2.6.20 modules.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Rodrigo Sampaio Primo

2007-Sep-06 13:31 UTC

head link

Re: OpenVZ + Shorewall

Hi Tom, I''m using CentOS with kernel 2.6.9-023stab043.2-smp, so I don t
think the problem is related to kernel modules names. Now I''m trying to
find
out what is missing for this rule to be accepted. Thanks for your help,
Rodrigo.

On 9/1/07, Tom Eastep <teastep@shorewall.net>
wrote:>
> Tom Eastep wrote:
> > Rodrigo Sampaio Primo wrote:
> >> Hi there,
> >>
> >> I have a VM under a OpenVZ system. I would like to configure a
firewall
> >> to that VM using Shorewall, but after following the steps on one
> >> particularly howto of the official website (don''t
remember now which
> >> one) I can''t get rid of the following error:
> >>
> >>    ERROR: Command "/sbin/iptables -A FORWARD -m state --state
> >> ESTABLISHED,RELATED -j ACCEPT" Failed
> >> iptables: No chain/target/match by that name
> >
> > Rodrigo,
> >
> > Please type that iptables command (or copy paste it) at a root shell
> > prompt. I''m sure that you will find that it fails.
> >
> > Until that command can complete without error, no stateful
> > iptables-based firewall will be able to run in your VM.
> >
> > I suspect that uou will be better off looking for help on OpenVZ
> > lists/channels rather than here on the Shorewall list.
>
> One thought: I see that OpenVZ now has a 2.6.20 kernel. If you are using
> that kernel, you should be aware that the names of many of the netfilter
> modules changed in that release. Hopefully the OpenVZ project has issued
> new instructions for setting the IPTABLES_MODULES option when that
> kernel is being used.
>
> I''ve attached a file that contains the names of many (but not all)
of
> the 2.6.20 modules.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
> iptable_filter
> iptable_mangle
> iptable_nat
> iptable_raw
> ip_tables
> ipt_addrtype
> ipt_ah
> ipt_CLUSTERIP
> ipt_ecn
> ipt_ECN
> ipt_iprange
> ipt_LOG
> ipt_MASQUERADE
> ipt_NETMAP
> ipt_owner
> ipt_recent
> ipt_REDIRECT
> ipt_REJECT
> ipt_SAME
> ipt_TCPMSS
> ipt_tos
> ipt_TOS
> ipt_ttl
> ipt_TTL
> ipt_ULOG
> nf_conntrack
> nf_conntrack_amanda
> nf_conntrack_ftp
> nf_conntrack_h323
> nf_conntrack_ipv4
> nf_conntrack_irc
> nf_conntrack_netbios_ns
> nf_conntrack_netlink
> nf_conntrack_pptp
> nf_conntrack_proto_gre
> nf_conntrack_proto_sctp
> nf_conntrack_sip
> nf_conntrack_tftp
> nf_nat
> nf_nat_amanda
> nf_nat_ftp
> nf_nat_h323
> nf_nat_irc
> nf_nat_pptp
> nf_nat_proto_gre
> nf_nat_sip
> nf_nat_snmp_basic
> nf_nat_tftp
> xt_CLASSIFY
> xt_comment
> xt_connmark
> xt_conntrack
> xt_dccp
> xt_hashlimit
> xt_helper
> xt_length
> xt_limit
> xt_mac
> xt_mark
> xt_MARK
> xt_multiport
> xt_NFLOG
> xt_NFQUEUE
> xt_physdev
> xt_pkttype
> xt_policy
> xt_state
> xt_tcpmss
> xt_tcpudp
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Rodrigo Sampaio Primo

2007-Sep-06 18:22 UTC

head link

Re: OpenVZ + Shorewall

Tom, do you have any idea how can I check what is missing for this rule
work? I have spend some time searching without success. Thanks again,
Rodrigo.

On 9/6/07, Rodrigo Sampaio Primo <rodrigosprimo@gmail.com>
wrote:>
> Hi Tom, I''m using CentOS with kernel 2.6.9-023stab043.2-smp, so I
don t
> think the problem is related to kernel modules names. Now I''m
trying to find
> out what is missing for this rule to be accepted. Thanks for your help,
> Rodrigo.
>
> On 9/1/07, Tom Eastep <teastep@shorewall.net> wrote:
>
> > Tom Eastep wrote:
> > > Rodrigo Sampaio Primo wrote:
> > >> Hi there,
> > >>
> > >> I have a VM under a OpenVZ system. I would like to configure
a
> > firewall
> > >> to that VM using Shorewall, but after following the steps on
one
> > >> particularly howto of the official website (don''t
remember now which
> > >> one) I can''t get rid of the following error:
> > >>
> > >>    ERROR: Command "/sbin/iptables -A FORWARD -m state
--state
> > >> ESTABLISHED,RELATED -j ACCEPT" Failed
> > >> iptables: No chain/target/match by that name
> > >
> > > Rodrigo,
> > >
> > > Please type that iptables command (or copy paste it) at a root
shell
> > > prompt. I''m sure that you will find that it fails.
> > >
> > > Until that command can complete without error, no stateful
> > > iptables-based firewall will be able to run in your VM.
> > >
> > > I suspect that uou will be better off looking for help on OpenVZ
> > > lists/channels rather than here on the Shorewall list.
> >
> > One thought: I see that OpenVZ now has a 2.6.20 kernel. If you are
using
> > that kernel, you should be aware that the names of many of the
netfilter
> > modules changed in that release. Hopefully the OpenVZ project has
issued
> > new instructions for setting the IPTABLES_MODULES option when that
> > kernel is being used.
> >
> > I''ve attached a file that contains the names of many (but not
all) of
> > the 2.6.20 modules.
> >
> > -Tom
> > --
> > Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep@shorewall.net
> > PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> >
> > iptable_filter
> > iptable_mangle
> > iptable_nat
> > iptable_raw
> > ip_tables
> > ipt_addrtype
> > ipt_ah
> > ipt_CLUSTERIP
> > ipt_ecn
> > ipt_ECN
> > ipt_iprange
> > ipt_LOG
> > ipt_MASQUERADE
> > ipt_NETMAP
> > ipt_owner
> > ipt_recent
> > ipt_REDIRECT
> > ipt_REJECT
> > ipt_SAME
> > ipt_TCPMSS
> > ipt_tos
> > ipt_TOS
> > ipt_ttl
> > ipt_TTL
> > ipt_ULOG
> > nf_conntrack
> > nf_conntrack_amanda
> > nf_conntrack_ftp
> > nf_conntrack_h323
> > nf_conntrack_ipv4
> > nf_conntrack_irc
> > nf_conntrack_netbios_ns
> > nf_conntrack_netlink
> > nf_conntrack_pptp
> > nf_conntrack_proto_gre
> > nf_conntrack_proto_sctp
> > nf_conntrack_sip
> > nf_conntrack_tftp
> > nf_nat
> > nf_nat_amanda
> > nf_nat_ftp
> > nf_nat_h323
> > nf_nat_irc
> > nf_nat_pptp
> > nf_nat_proto_gre
> > nf_nat_sip
> > nf_nat_snmp_basic
> > nf_nat_tftp
> > xt_CLASSIFY
> > xt_comment
> > xt_connmark
> > xt_conntrack
> > xt_dccp
> > xt_hashlimit
> > xt_helper
> > xt_length
> > xt_limit
> > xt_mac
> > xt_mark
> > xt_MARK
> > xt_multiport
> > xt_NFLOG
> > xt_NFQUEUE
> > xt_physdev
> > xt_pkttype
> > xt_policy
> > xt_state
> > xt_tcpmss
> > xt_tcpudp
> >
> >
> >
-------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a
browser.
> > Download your FREE copy of Splunk now >>  
http://get.splunk.com/
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
> >
> >
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep

2007-Sep-06 19:40 UTC

head link

Re: OpenVZ + Shorewall

Rodrigo Sampaio Primo wrote:> Tom, do you have any idea how can I check what is missing for this rule
> work? I have spend some time searching without success.
Rodrigo,

I have no experience with OpenVZ and don''t understand how it partitions
Netfilter among the VMs. As a consequence, I have no idea what to look for.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Shorewall users - Aug 2007 - Re: OpenVZ + Shorewall

Re: OpenVZ + Shorewall

Re: OpenVZ + Shorewall

Re: OpenVZ + Shorewall

Re: OpenVZ + Shorewall

Re: OpenVZ + Shorewall

Re: OpenVZ + Shorewall