Previous page

Next page

Locate page in Contents

Print this page

Using iptables Modules in Containers

Using iptables modules in Containers requires additional configuration on your part.

Configuring iptables Modules

To set the state of iptables modules for backup/restore or live migration, use the vzctl --netfilter command. If some of the iptables modules allowed for a Container are not loaded on the Hardware Node where that Container has been restored or migrated, they will be automatically loaded when that Container starts. For example, the command

# vzctl set 101 --netfilter stateful --save

will make sure that all modules except NAT-related will be allowed and loaded for Container 101 (if required) on a Hardware Node where it has been restored or migrated.

Notes:

1. The default setting is stateless , which allows all modules except conntrack and NAT-related. For more information, see the Parallels Cloud Server 6.0 Command Line Reference Guide .

2. To run Docker inside a Parallels Container, allow all iptables modules for that Container with the --netfilter full command. For details on configuring Docker in Parallels Cloud Server, see Creating and Configuring Docker-enabled Containers .

Using conntrack Rules and NAT Tables

By default, the NAT table and conntrack rules are disabled and not allowed for use in Containers even if they are loaded on the server. To allow their use in Containers, run the vzctl set --netfilter full command. For example, for Container 101:

# vzctl set 101 --netfilter full --save

To limit the maximum number of conntrack slots available for each Container on the Hardware Node, set the net.netfilter.nf_conntrack_max variable. For example:

# sysctl -w net.netfilter.nf_conntrack_max=50000

The value of net.netfilter.nf_conntrack_max cannot exceed the value of net.nf_conntrack_max (see Using iptables Modules in Parallels Cloud Server ).

Note: Even if a Container is under a DDoS attack and all its conntrack slots are in use, other Containers will not be affected, still being able to create as many connections as set in net.netfilter.nf_conntrack_max .

Top of page Feedback