[BlueOnyx:20474] 6108R: Iptables inside a VPS

[Michael Stauber]

Hi all,

This is something just for Aventurin{e} 6108R users:

Recently we had some inconsistencies with Iptables usage inside OpenVZ
containers. Especially with APF in mind. It turned out that some innards
of OpenVZ changed some times ago and access to Iptables modules is no
longer configured globally in vz.conf. Instead it's now configured
inside the config of each individual VPS.

In specific the config line ...

NETFILTER="..."

... specifies what access to Iptables modules a VPS might have. If not
present it defaults to "stateless", which allows access to all modules
but NAT and contrack. Which is a bit of a problem.

The Netfilter settings can be applied to a VPS this way from the command
line of the node:

vzctl set 100 --netfilter full --save --setmode restart

That would allow VPS 100 full netfilter access.

The following options are supported:

- disabled
- stateless
- stateful
- full

The "--setmode restart" will restart the VPS, as this change requires a
restart.

I just published an updated base-vserver module for Aventurin{e} 6108R
which allows to configure the Netfilter settings of VPS's via the GUI
under "VPS Basic Settings".

Please note: If you run a BlueOnyx OpenVZ VPS with APF installed, then
you will need to set Netfilter to "full" in order for APF to work correctly.

If a VPS is set to only allow "stateless" Iptables usage, then APF might
block certain outgoing connections such as SSH sessions to remote
destinations and it also might prevent mounting of external resources
via SSHfs.

-- 
With best regards

Michael Stauber