by Omshivaprakash | Jun 3, 2011 | Gnu/Linux, linux, QuickFix, Security, Technical, Virtualization
Following error is noticed when you are running apf in the OpenVZ VM.
iptables: Unknown error 4294967295
Main reason for this error iptables support missing in OpenVZ.
Here are the quick steps to resolve this issue permanently:
1. Define which iptables modules are available for VEs.
a)
Edit /etc/sysconfig/iptables-config file on a OpenVZ hardware node:
IPTABLES_MODULES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”
b)
Edit /etc/sysconfig/vz file on a OpenVZ hardware node:
IPTABLES=”ipt_REJECT
ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”
Note:– iptables modules list in IPTABLES and IPTABLES_MODULES parameters in /etc/sysconfig/vz and /etc/sysconfig/iptables-config files should be placed in one single line, no linebreaks is allowed in this parameter.
Restart OpenVZ server
# service vz restart
2. Increase ‘numiptent’ parameter for the VE you need to install APF into. This parameter limits the amount of iptables rules available for a VE. Default APF configuration requires ~400 rules. Lets set it to 400 in the example below for VE #101:
# vzctl set 101 --numiptent 400 --save
3. Start APF inside the VE:
# /etc/init.d/apf start
Tags: apf, iptables, OpenVZ
by Omshivaprakash | Jun 28, 2009 | Gnu/Linux, linux, QuickFix, Technical
While working with APF on servers, you might normally get to see the following error,
# apf -r
apf(2042): {glob} flushing & zeroing chain policies
apf(2042): {glob} firewall offline
apf(3179): {glob} activating firewall
apf(3284): {glob} unable to load iptables module (ip_tables), aborting.
apf(3179): {glob} firewall initalized
apf(3179): {glob} fast load snapshot saved
Your kernel is compiled with iptables statically instead of as a module, to resolve this you will need to change a small configuration in /etc/apf/conf.apf
SET_MONOKERN=”0″ Set it to “1″
Once this is done, restart apf to see the error vanishing.
SET_MONOKERN
# This allows the firewall to work around modular kernel issues by assuming
# that the system has all required firewall modules compiled directly into
# kernel. This mode of operation is not generally recommended but can be used
# scale APF to unique situations.
by Omshivaprakash | Oct 30, 2008 | linux, QuickFix, Technical
Unable to block ips using iptables on your VPS? Is your APF installation failing to work?
[email protected] [~]# iptables -I INPUT -s 123.123.123.123 -j DROP
iptables: Memory allocation problem
Resolution:
If you’re using OpenVZ for virtualization, you might have exceeded the limit of ‘numiptent’ parameter value. You may check if there are non-zero failcounts for the ‘numiptent’ parameter inside VPS:
# egrep "failcnt|numiptent" /proc/user_beancounters
If you’re an admin with the access to hardware node, increase a bit parameter value using following command. (Following command won’t work inside the VPS node)
#vzctl set VPS_ID --save --numiptent NEW_BARRIER:NEW_LIMIT
This should resolve the issue.
Recent Comments