Loading iptables Modules to Containers

The list of iptables modules that are loaded to a Container by default is determined by the iptables modules loaded on the server at the moment of the Container startup. For example, if your server has the ipt_REJECT , ipt_tos , ipt_limit , ipt_multiport , and iptable_filter modules loaded, any Containers on this server will also have these iptables modules loaded after their startup.

However, Parallels Server Bare Metal allows you to prevent certain modules from being loaded inside a Container on its startup, even if they are loaded on the server itself. The full list of such iptables modules is listed below:

• ip_table
• ip6_table
• iptable_filter
• ip6table_filter
• iptable_mangle
• ip6table_mangle
• ip_conntrack
• ip_conntrack_ftp
• ip_conntrack_irc
• iptable_nat
• ip_nat_ftp
• ip_nat_irc

To forbid the usage of any of the aforementioned iptables modules inside a Container, you should explicitly indicate the names of the modules you wish to be loaded to the Container as the value of the IPTABLES parameter in the Container configuration file ( /etc/vz/conf/ <CT_ID> .conf ) or by using the pctl command. For example:

# pctl set 101 --iptables ip_table --iptables iptable_filter --iptables ip_conntrack --iptables iptable_nat --iptables iptable_mangle --save

This command will tell Parallels Server Bare Metal to:

• load the ip_table , iptable_filter , ip_conntrack , iptable_nat , and iptable_mangle modules to Container 101 if they are loaded on the server during the Container startup
• forbid the usage of all the other iptables modules listed above (i.e. ip6_table , ip6table_filter , ip6table_mangle , ip_conntrack_ftp , ip_conntrack_irc , ip_nat_ftp , ip_nat_irc ) inside Container 101 even if they are loaded on the server during the Container startup

This information will also be saved in the Container configuration file thanks to the --save option.

Loading a new set of iptables modules does not happen on the fly. You must restart the Container for the changes to take effect.