Solved

iptables, ubuntu vps, state established

Posted on 2009-07-16
13
807 Views
Last Modified: 2013-12-06
Hi all-

I'm playing with two ubuntu 8.04 installations (at 2 different vps providers).  The providers are using OpenVZ I beleive.  The nics in /etc/network/interfaces are listed as venet0, venet0:0, and venet0:1 on both installations.

I'm using iptables for a firewall.  The rules are pretty simple,
allow everything out
allow dns queries in
allow ESTABLISHED tcp sessions back in (for web, dns, etc)
block everything else

One one installation this works great, but on the other, the line that has:
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

errors out with the message:
iptables: no chain/targe/match by that name

I've attatched the full script below.  It's identical (Except for ip addresses, replaced with x.x.x.112 here) on the other machine.

I'm also game to listen to other suggestions, as I'm by no means a linux guru.

not having the established sessions work, means that even simple tasks like wget are failing.  wget looks up the ip of the server ok thanks to the explicit rule allowing upd traffic sourced at port 53 back in.  however, it just hangs while transfering the http data since the established tcp session isn't allowed back in.

if I do:
               iptables -A INPUT -p tcp -j ACCEPT
then POOF, everything works.  Obviously this defeats the firewall though.

Thanks for your input.
echo "0" > /proc/sys/net/ipv4/ip_forward
 
modprobe ip_conntrack
modprobe ip_conntrack_ftp
 
# flush
iptables -F INPUT
iptables -F OUTPUT
 
# default
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
 
# allow pinging
iptables -A INPUT -p icmp -j ACCEPT
 
# allow inputs to loopback
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
 
# all established
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
 
# dns
iptables -A INPUT -p udp -i venet0 -d x.x.x.112 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i venet0 -d x.x.x.112 --dport 53 -j ACCEPT
 
# allow local lookups to work
iptables -A INPUT -p udp -i venet0 --sport 53 --dport 1024:65535 -j ACCEPT

Open in new window

0
Comment
Question by:Berkson Wein
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 29

Expert Comment

by:fosiul01
ID: 24872044
it should be like this

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

0
 
LVL 15

Author Comment

by:Berkson Wein
ID: 24872683
Thanks fosiul01, but I just tried that, and I got the same error message:
iptables: No chain/target/match by that name
 Is there something special that needs to be compiled into the kernel for this to work?  Or maybe there's some extra package that I need to install via apt-get?  Again the line worked at another provider without issue.
What does RELATED do anyway?
 
0
 
LVL 29

Accepted Solution

by:
fosiul01 earned 500 total points
ID: 24872715
i was going to tell you that

I belived there is some problem witih  OpenVZ and iptables
like my vps its openvz aswell, as soon as i put iptables rules, i cant access the server

so the vps company said not to use iptables!!!


some modules is not compiled with kernel or openvz does not support iptables
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 15

Author Comment

by:Berkson Wein
ID: 24873151
What's nuts is that my other openvz provider has iptables working just fine.  Also ubuntu 8.04.  Nuts.
0
 
LVL 29

Assisted Solution

by:fosiul01
fosiul01 earned 500 total points
ID: 24873197
then i will say, to speak with your this openvz provider and ask them why those rules is not working
since its vps server you would do anything with kernel
0
 
LVL 15

Author Comment

by:Berkson Wein
ID: 24873270
been there, done that.  clueless.  might be time to dump em.
0
 
LVL 29

Assisted Solution

by:fosiul01
fosiul01 earned 500 total points
ID: 24873324
ok have a look to this one

http://www.faqs.org/docs/iptables/commonproblems.html

its must of the modules is not installed in kernel

let me try to find out which module is needed for those rules, currently i forgot

but what your vps provider said/.??
0
 
LVL 15

Author Comment

by:Berkson Wein
ID: 24873417
gimme a bit. I'm in the middle of doing an
apt-get upgrade ubuntu-minimum
to see if that makes a difference
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 24873432
but i thought in ubuntu you guys use something call fw rules ??

0
 
LVL 15

Author Comment

by:Berkson Wein
ID: 24875449
I use iptables.
0
 
LVL 15

Author Comment

by:Berkson Wein
ID: 24875453
I spoke with the provider who "installed some modules on the host"  Now it works.  Trying to get details on exactly what was done.
thanks all for the input.
0
 
LVL 15

Author Closing Comment

by:Berkson Wein
ID: 31604322
Thanks for the help.
0
 
LVL 15

Author Comment

by:Berkson Wein
ID: 24878707
The provider said that they added
xt_tcpudp and ip_conntrack ip_conntrack_enable_ve0=1  
0

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you sitting there reading this and wondering how to get started with Linux? It almost seems like picking the right Linux distribution is about like picking the right college or buying a new car if you read some of the article out there. Relax… l…
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question