9

We have set up IPv6 networking on openvz using bridged veth devices. The IPv6 traffic to and from the VEs works fine.

ip6tables works on the HN and iptables work on the VE. Inside the VE we can set up ip6tables rules without any error messages. They are completely ignored however.

What additional configuration options are necessary for ip6tables to work?

poige
  • 9,171
  • 2
  • 24
  • 50
Carsten Thiel
  • 421
  • 3
  • 6
  • 7
    Might be worth doing a `ip6tables -I INPUT -j LOG` and seeing if packets are actually hitting the filters. If they are, try adding similar lines throughout the filters (particularly after any expected drops) and see what gets logged to syslog. – Andy Smith Nov 30 '11 at 21:45
  • 1
    Make sure the iptables features you require are in the vz.conf file. – awmusic12635 Apr 08 '15 at 02:31
  • 1
    Is the service started? Does it need to be restarted for the changes to take effect? – Jeter-work Aug 30 '16 at 01:04
  • Did you verify that the iface you are using is seeing traffic in the old IPv4 iptables? Obscure abstraction layers can leave several "wrong" NICs in the system that seemingly do nothing. Gone are the days when you simply had eth0 for internet and eth1 for your internal LAN. – Zdenek Jun 18 '18 at 17:19

3 Answers3

0

Seems you are using the containers under proxmox, right? You should then check from the graphical interface in proxmox that the networkd addresses are fine and known by PVE
In some cases, pve prevents to use some iptables modules, eg:
FATAL: Could not load /lib/modules/4.15.18-1-pve/modules.dep: No such file or directory

Note: On proxmox 5, OpenVZ containers will be converted to LXC, this might introduce some bias

Fibo
  • 11
  • 3
-1

Make sure you are applying the rules to the venet0 interface by explicitly.

Scott Mcintyre
  • 269
  • 1
  • 2
-2

OpenVZ containers inherit the kernel and modules from the host node. Because of this you cant load new kernel modules in an OpenVZ/LXC container. I would ensure that the hostnode has the ip6_tables kernel module either compiled into the kernel or loaded as a module.

This is a problem because OpenVZ is Paravirtualization, meaning that it shares the same kernel with the host node. Because you share the same kernel as the other OpenVZ containers, you can't load modules into the kernel. With Hardware virtual machines you get to run your own kernel and can then load/unload kernel modules, or compile your own kernel to use. The question linked below covers the differences in more detail.

What is the difference between Full, Para and Hardware assisted virtualization?

Sadly when you only have access to the Guest OpenVZ environment determining if the IPv6 IPtables module is loaded can be a bit hard as lsmod, /proc/modules, and /proc/config.gz often do not exist inside OpenVZ.

Because of this, you might just have to contact your provider as someone with root access on the host node will have to load this kernel module for you.

Citizen Kepler
  • 222
  • 1
  • 4