Solved

iptables, ubuntu vps, state established

Posted on 2009-07-16
13
804 Views
Last Modified: 2013-12-06
Hi all-

I'm playing with two ubuntu 8.04 installations (at 2 different vps providers).  The providers are using OpenVZ I beleive.  The nics in /etc/network/interfaces are listed as venet0, venet0:0, and venet0:1 on both installations.

I'm using iptables for a firewall.  The rules are pretty simple,
allow everything out
allow dns queries in
allow ESTABLISHED tcp sessions back in (for web, dns, etc)
block everything else

One one installation this works great, but on the other, the line that has:
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

errors out with the message:
iptables: no chain/targe/match by that name

I've attatched the full script below.  It's identical (Except for ip addresses, replaced with x.x.x.112 here) on the other machine.

I'm also game to listen to other suggestions, as I'm by no means a linux guru.

not having the established sessions work, means that even simple tasks like wget are failing.  wget looks up the ip of the server ok thanks to the explicit rule allowing upd traffic sourced at port 53 back in.  however, it just hangs while transfering the http data since the established tcp session isn't allowed back in.

if I do:
               iptables -A INPUT -p tcp -j ACCEPT
then POOF, everything works.  Obviously this defeats the firewall though.

Thanks for your input.
echo "0" > /proc/sys/net/ipv4/ip_forward
 
modprobe ip_conntrack
modprobe ip_conntrack_ftp
 
# flush
iptables -F INPUT
iptables -F OUTPUT
 
# default
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
 
# allow pinging
iptables -A INPUT -p icmp -j ACCEPT
 
# allow inputs to loopback
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
 
# all established
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
 
# dns
iptables -A INPUT -p udp -i venet0 -d x.x.x.112 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i venet0 -d x.x.x.112 --dport 53 -j ACCEPT
 
# allow local lookups to work
iptables -A INPUT -p udp -i venet0 --sport 53 --dport 1024:65535 -j ACCEPT

Open in new window

0
Comment
Question by:weinberk
  • 8
  • 5
13 Comments
 
LVL 29

Expert Comment

by:fosiul01
ID: 24872044
it should be like this

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

0
 
LVL 15

Author Comment

by:weinberk
ID: 24872683
Thanks fosiul01, but I just tried that, and I got the same error message:
iptables: No chain/target/match by that name
 Is there something special that needs to be compiled into the kernel for this to work?  Or maybe there's some extra package that I need to install via apt-get?  Again the line worked at another provider without issue.
What does RELATED do anyway?
 
0
 
LVL 29

Accepted Solution

by:
fosiul01 earned 500 total points
ID: 24872715
i was going to tell you that

I belived there is some problem witih  OpenVZ and iptables
like my vps its openvz aswell, as soon as i put iptables rules, i cant access the server

so the vps company said not to use iptables!!!


some modules is not compiled with kernel or openvz does not support iptables
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 15

Author Comment

by:weinberk
ID: 24873151
What's nuts is that my other openvz provider has iptables working just fine.  Also ubuntu 8.04.  Nuts.
0
 
LVL 29

Assisted Solution

by:fosiul01
fosiul01 earned 500 total points
ID: 24873197
then i will say, to speak with your this openvz provider and ask them why those rules is not working
since its vps server you would do anything with kernel
0
 
LVL 15

Author Comment

by:weinberk
ID: 24873270
been there, done that.  clueless.  might be time to dump em.
0
 
LVL 29

Assisted Solution

by:fosiul01
fosiul01 earned 500 total points
ID: 24873324
ok have a look to this one

http://www.faqs.org/docs/iptables/commonproblems.html

its must of the modules is not installed in kernel

let me try to find out which module is needed for those rules, currently i forgot

but what your vps provider said/.??
0
 
LVL 15

Author Comment

by:weinberk
ID: 24873417
gimme a bit. I'm in the middle of doing an
apt-get upgrade ubuntu-minimum
to see if that makes a difference
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 24873432
but i thought in ubuntu you guys use something call fw rules ??

0
 
LVL 15

Author Comment

by:weinberk
ID: 24875449
I use iptables.
0
 
LVL 15

Author Comment

by:weinberk
ID: 24875453
I spoke with the provider who "installed some modules on the host"  Now it works.  Trying to get details on exactly what was done.
thanks all for the input.
0
 
LVL 15

Author Closing Comment

by:weinberk
ID: 31604322
Thanks for the help.
0
 
LVL 15

Author Comment

by:weinberk
ID: 24878707
The provider said that they added
xt_tcpudp and ip_conntrack ip_conntrack_enable_ve0=1  
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question