iptables, ubuntu vps, state established

Hi all-

I'm playing with two ubuntu 8.04 installations (at 2 different vps providers).  The providers are using OpenVZ I beleive.  The nics in /etc/network/interfaces are listed as venet0, venet0:0, and venet0:1 on both installations.

I'm using iptables for a firewall.  The rules are pretty simple,
allow everything out
allow dns queries in
allow ESTABLISHED tcp sessions back in (for web, dns, etc)
block everything else

One one installation this works great, but on the other, the line that has:
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

errors out with the message:
iptables: no chain/targe/match by that name

I've attatched the full script below.  It's identical (Except for ip addresses, replaced with x.x.x.112 here) on the other machine.

I'm also game to listen to other suggestions, as I'm by no means a linux guru.

not having the established sessions work, means that even simple tasks like wget are failing.  wget looks up the ip of the server ok thanks to the explicit rule allowing upd traffic sourced at port 53 back in.  however, it just hangs while transfering the http data since the established tcp session isn't allowed back in.

if I do:
               iptables -A INPUT -p tcp -j ACCEPT
then POOF, everything works.  Obviously this defeats the firewall though.

Thanks for your input.
echo "0" > /proc/sys/net/ipv4/ip_forward
 
modprobe ip_conntrack
modprobe ip_conntrack_ftp
 
# flush
iptables -F INPUT
iptables -F OUTPUT
 
# default
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
 
# allow pinging
iptables -A INPUT -p icmp -j ACCEPT
 
# allow inputs to loopback
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
 
# all established
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
 
# dns
iptables -A INPUT -p udp -i venet0 -d x.x.x.112 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i venet0 -d x.x.x.112 --dport 53 -j ACCEPT
 
# allow local lookups to work
iptables -A INPUT -p udp -i venet0 --sport 53 --dport 1024:65535 -j ACCEPT

Open in new window

LVL 15
Berkson WeinTech FreelancerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fosiul01Commented:
it should be like this

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

0
Berkson WeinTech FreelancerAuthor Commented:
Thanks fosiul01, but I just tried that, and I got the same error message:
iptables: No chain/target/match by that name
 Is there something special that needs to be compiled into the kernel for this to work?  Or maybe there's some extra package that I need to install via apt-get?  Again the line worked at another provider without issue.
What does RELATED do anyway?
 
0
fosiul01Commented:
i was going to tell you that

I belived there is some problem witih  OpenVZ and iptables
like my vps its openvz aswell, as soon as i put iptables rules, i cant access the server

so the vps company said not to use iptables!!!


some modules is not compiled with kernel or openvz does not support iptables
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Berkson WeinTech FreelancerAuthor Commented:
What's nuts is that my other openvz provider has iptables working just fine.  Also ubuntu 8.04.  Nuts.
0
fosiul01Commented:
then i will say, to speak with your this openvz provider and ask them why those rules is not working
since its vps server you would do anything with kernel
0
Berkson WeinTech FreelancerAuthor Commented:
been there, done that.  clueless.  might be time to dump em.
0
fosiul01Commented:
ok have a look to this one

http://www.faqs.org/docs/iptables/commonproblems.html

its must of the modules is not installed in kernel

let me try to find out which module is needed for those rules, currently i forgot

but what your vps provider said/.??
0
Berkson WeinTech FreelancerAuthor Commented:
gimme a bit. I'm in the middle of doing an
apt-get upgrade ubuntu-minimum
to see if that makes a difference
0
fosiul01Commented:
but i thought in ubuntu you guys use something call fw rules ??

0
Berkson WeinTech FreelancerAuthor Commented:
I use iptables.
0
Berkson WeinTech FreelancerAuthor Commented:
I spoke with the provider who "installed some modules on the host"  Now it works.  Trying to get details on exactly what was done.
thanks all for the input.
0
Berkson WeinTech FreelancerAuthor Commented:
Thanks for the help.
0
Berkson WeinTech FreelancerAuthor Commented:
The provider said that they added
xt_tcpudp and ip_conntrack ip_conntrack_enable_ve0=1  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Distributions

From novice to tech pro — start learning today.